- From: Lisa Dusseault <lisa@osafoundation.org>
- Date: Wed, 5 Jul 2006 17:14:00 -0700
- To: Michael Wechner <michael.wechner@wyona.com>
- Cc: Manfred Baedke <manfred.baedke@greenbytes.de>, Julian Reschke <julian.reschke@gmx.de>, w3c-dist-auth@w3.org
We'll be talking about HTTP Authentication issues a lot at the IETF meetings next week in Montreal. Mark Nottingham has scheduled a Wednesday Bar BoF on HTTP changes including authentication, and there's the "Web Authentication Enhancements" BoF on Friday which has combined the topics of cross-site authentication and anti-phishing measures. Other authentication problems people have brought up include Digest's issues with offline dictionary attacks, and poor i18n support in Basic and Digest. The idea of clients suggesting what authentication they'd like to use doesn't come up often. Typically servers have security policies determined by the level of sensitivity of their content/usage, and dictate what authentication and encryption the client needs to use. That's why we're increasingly seeing requirements that clients MUST support TLS, Digest and Basic -- so that servers have a chance of interoperability while also setting minimum security policies. Lisa On Jul 3, 2006, at 6:51 AM, Michael Wechner wrote: > > Manfred Baedke wrote: >> Hi Michael, >> >>> right, this might makes sense for formats. But I would argue with >>> another usecase, namely Custom Authentication >>> instead of HTTP authentication (BASIC or DIGEST). >>> >>> Let's assume a resource is protected and a server would like to >>> offer custom authentication, e.g. it would send >>> a HTML to a regular browser and some WebDAV specific XML to a >>> WebDAV enabled client, whereas I haven't digged into >>> WebDAV far enough how something like this could be handled by the >>> WebDAV spec. >> as Julian pointed out, this form of authentication is not covered >> by any specification, > > I think that's what confused me resp. I wanted to mix stuff which I > have to agree doesn't make sense. > >> so there is no reliable way for a generic client to handle it anyway > > well, if there would be a standard than I don't think this should > be a problem. My suggestion would be that > the client sends a WWW-Authenticate header of its supported > authentication schemes to the server and > the server then checks if one of the client's suggested > authentication schemes is support by the server > and is able to respond appropriately resp. responding with an > exception in the sense, that none of the suggested > authentication schemes is supported. > > It seems to me that "WWW-Authenticate" is similar to "Accept" and > that the client should make this suggestion first > and let the server react to it. > > WDYT? >> (besides the fact that authentication has nothing to do with WebDAV). > > agreed. > > Thanks for clarifying > > Michi >> >> Regards, >> Manfred >> >> > > > -- > Michael Wechner > Wyona - Open Source Content Management - Apache Lenya > http://www.wyona.com http://lenya.apache.org > michael.wechner@wyona.com michi@apache.org > +41 44 272 91 61 > >
Received on Thursday, 6 July 2006 00:14:09 UTC