- From: Daniel DuBois <ddubois@spyglass.com>
- Date: Tue, 18 Jul 95 08:27:16 -0500
- To: www-talk@w3.org
>******* II. The business-card authentication scheme > >I propose a new http authentication scheme; let's call it >"business-card". Its purpose is to facilitate access control policies >similar to "I'll show you my information if you'll leave your business >card in the bowl." > >An HTTP server may respond to requests with a 403 response, and >specify the business-card scheme in the challenge, along with a list >of required, suggested, permitted, and refused fields. What about the millions of installed browsers which don't have the business card authentication scheme built in? Some browsers [Enhanced Mosaic plug] might have plug-in security modules, but they're the exception. These people won't be able to see your pages? Then you're cutting yourself off from a huge audience of people who won't bother with a site that's hard to get into. You may as well use basic authentication, then at the time of registration you can get all the information about that user that you want. Will you revoke the auth requirement if the browser doesn't have it? Then you let un-trackable people in anyway. Might as well rely on the 'From:' field, since it too is an optional field. In fact, if we are going to design browsers that allow the user the *option* of following the business card auth scheme, we might as well design browsers to allow the user the *option* of sending out the 'From:' field, and, if a server really wanted to, it could alter its output based on whether or not a From: field exists. In other words, let's use what's already there. ----- Dan DuBois, Software Animal ddubois@spyglass.com (708) 505-1010 x532 http://www.spyglass.com/~ddubois/
Received on Tuesday, 18 July 1995 09:27:17 UTC