Access Authorization

Wayne Allen (wa@mcc.com)
Tue, 14 Sep 93 10:02:36 CDT


Pardon me if I am re-hashing a previous discussion - I am a new
subscriber to this list.

I read the documents concerning WWW Access Authorization. I don't
agree with the contention that web-based documents won't need strictly
authenticated access control. Here at EINet we use a Kerberos-based
authentication system to establish method requires bilateral, encrypted communication on the socket to be
used for information transmission. (For best results, the
transmission itself would also be encrypted, but we can talk about
that later.) We don't believe this is too difficult *or* too slow for
use in the web.

Leaving out the message termination stuff (I wish message might look something like:

GET /some/document Authorization: KerberosV4

If the server does *not* support this form of authorization, it returns
the "HTTP/1.0 401" status code along with the name of an
authentication scheme it supports (as is proposed).

If the server *does* support this form of authentication, it returns a
"please continue" status, and *holds the connection*. The client and
server then both call the appropriate Kerberos functions for mutual
authentication. The authentication is conducted over the open
connnection, using encrypted communcation. If authentication succeeds,
the server uses the authenticated identity to conduct the access
authorization, and either returns the requested data or an error
status.

The reason the authentication protocol must be conducted over the same
connection as the data transmission is that the server cannot be
absolutely sure from one connection to the next whether it is talking
to the same client. That's the whole point of authentication, after
all.

Comments? (... as he hefts his Kevlar-reinforced asbestos body armor
into place :-)

--
 wa | Wayne Allen, EINet - wa@mcc.com		 	 FAX: (512)338-3897
    | MCC/ISD, 3500 West Balcones Center Dr, Austin, Tx 78759 (512)338-3754
    | "...and this mess is so wide and so deep and so tall,