Re: User authentication

Rick Troth writes:

| I don't see any way to do  "real authentication"  without
| using public key electronic signatures,  and I question whether or not
| we need something that strong to eliminate news and mail forgery.

I suspect SMTP and NNTP are still an authentication free zone for the vast majority of Internet users.  Best shot is to have a browser that can be configured to refuse to send messages unless _it_ is happy with your credentials ?

So, the authentication mechanism just has to be strong enough that you can satisfy the browser, rather than the whole world.  In which case, all we really need is some variation on

  o domain name/port number to contact
  o user name
  o "password"

There are lots of simple authentication scenarios which fit into this model, e.g. POP, IMAP, and even FTP.  No export restrictions here!

Servers are trivial to implement, and (hey!) you might have one already ? :-)

Client support should be trivial to add to the browser - after all, you already have primitive operations to open and close TCP connections & read and write data

QED?

Martin

PS For something more sophisticated, see the APOP command in RFC 1725

Received on Wednesday, 10 May 1995 09:46:01 UTC