W3C home > Mailing lists > Public > www-talk@w3.org > May to June 1995

Re: User authentication

From: Rick Troth <TROTH@ua1vm.ua.edu>
Date: Mon, 08 May 95 17:00:37 CDT
Message-Id: <9505082210.AA08541@www10.w3.org>
To: Multiple recipients of list <www-talk@www10.w3.org>
        I've been considering  "agent authentication"  for a different
protocol  (other than HTTP or SMTP or NNTP).   It seems  (and someone
suggested this to me)  that we need a general purpose user authentication
mechanism,  something that several protocols could consult.   IDENT is
available  [I may get flamed for even mentioning it]  but isn't  "real
authentication".   Perhaps something stronger?   But what about the
range of administrative domains?   Why (HOW) would you trust  foo.com
to confirm that I am  troth@foo.com  when you don't trust  foo.com
for anything else?   (no shared trust;  no mutual trust)

        I can see a client that tells a server  "I'm acting on behalf of
so-and-so;  check me out for yourself"  where the server then takes a
challenge/response pair and runs that against the  client host.
I don't think this is any stronger than IDENT.

        IDENT is pretty good  (but not 100%)  FOR LOGGING.   If you
check a socket and the  client host  says,  "it's  troth  on this end",
then you can defer the real authentication to  the client host.
That is,  if you don't trust the  client host  at all,  fine.
But if somehow you can trust the  client host,  then you can
(within reason)  trust the IDENT info from it.   (forgery here is
possible but somewhat more difficult than with raw SMTP or NTTP)

        I don't see any way to do  "real authentication"  without
using public key electronic signatures,  and I question whether or not
we need something that strong to eliminate news and mail forgery.


Rick Troth <troth@ua1vm.ua.edu>, Houston, Texas, USA
Received on Monday, 8 May 1995 18:12:44 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:17 UTC