On Mon, Jun 19, 2006 at 01:31:21PM -0400, Sam Hartman wrote: > I was intrigued by Phil Hallam-Baker's idea to separate HTTP > authentication into two parts : one between a user and some > authentication/identity service and one between the authentication > service and the relying party. [...]
Gosh, that sounds like a ticketing service... Like Kerberos, actually. Or we could make a ticketing service out of PKIX technologies. Or out of SAML/XMLdsig/XMLenc. Or something totally new! Or we could try to re-use specs. :) Yes, I see why you suggest Kerberos. One argument I've seen against Kerberos is that it requires online infrastructure, but I think it's now clear that all the good choices in this space do (e.g., PKIX CRL and OCSP servers, online CAs, SACRED servers, etc.). That leaves the argument that Kerberos V KDCs know too many secret keys, but Kerberos V has been getting PK technology added to it too, and in the end the specs will allow users to make the public key vs. shared symmetric key decisions (which I think is a good thing, provided that we inform those making the choices of the relevant trade-offs). However, the strongest arguments against Kerberos, that is, the political ones, are also the most superficial. I don't know how you argue with fashion :) Nico -- _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
