Re: Access Authorization

Ari Luotonen (luotonen@ptsun00.cern.ch)
Wed, 15 Sep 93 17:07:05 +0200


marca wrote:
> This seems like a really good discussion -- great to see it. BTW,
> we'll be happily supporting Ari's code/methods/etc. in Mosaic for X
> 2.0.

This is fabulous, thanks!!!

Tony Sanders wrote:
> Here is what I think you want for more complex protocols. Note that this
> is a departure from the current proposal because putting the authorization
> scheme after "401" code is too limiting. Consider this a request to
> change the proposal.
>
> client:
> GET /document HTTP/1.0\r\n
> \r\n
> server:
> HTTP/1.0 401 Unauthorized
> Authenticate: External-KerberosIV, realm="bsdi.com",priciple="foo"
> Authenticate: PK-reverse, principle="joe's-computers"
> Authenticate: basic; kerberos

I agree with this proposal and I'm willing to go along with it, but I
want to make one note: A server running a certain protection scheme
in my opinion *should not* accept anything else. For instance in this
example server is accepting both Kerberos authentication and "basic";
if the server requires the relatively high authenticity that Kerberos
provides, why is it that it should settle for less? This weakens the
system, and makes Kerberos in this example useless -- if an intruder
wants to get in, he gets in through the "basic" scheme, and Kerberos
cannot do anything about it.

Besides, running two parallel protection schemes on the same server
causes some major difficulties, am I not right?

Also I would like to remind, that on server side currently *not* so many
protocol tasks are done by the library as on client side, for example
the headers are parsed by the server and not by the library. Complicating
the protocol results in problems with each individual server implementaion,
and it's likely that this results in bugs in each server. What is more
is that these bugs are unique to each server -- they must be corrected
individually; waiting for new release of the library doesn't help, because
the bug is not in there (weeell, from what I've seen it seems likely that
there are some in there, too... ;-)).

Anyway, this proposal (I mean the "Authenticate:" field) is not such change, but I just wanted to say this anyway.

PS. Would someone with more verbal talent with better names for my schemes than "basic" and "pubkey". Otherwise
they might end up with spooky names like
"Dame-Edna's-Purple-Possume-Protection", of DEPPP for short (Hmmm...
too much Coke today... ;-)), or even worse, remain with the depressing
names that they currently have.

-- Aloha, Ari --

\\\\Ari Luotonen//////
\\\\WWW Person//////
\\\\\\/\\\\\//////
\\\\//\\\\//////
\\////\\//////
\/\/\/\/\/\/