BARE CRYPTOGRAPHIC IDENTIFIER
After username/password, probably the most familiar sort of
remote identifier is a bare public key. The way this is
used is familiar from SSH: the user generates a public key
and provides the key (or fingerprint) to the relying party
(or parties). He can then sign with the private key to
prove possession.
...
CRYPTOGRAPHIC BINDING INSIDE HTTP
If you're using public key for authentication, the natural approach is
to simply have the credentials bound directly to the HTTP PDUs they
vouch for. So, the PDU would contain a signature line that covered the
request itself. This is what, for example, S-HTTP does.
Notwithstanding Phil's point about protocol issues being out of scope,
which is likely correct, I'll nevertheless mention a recent
authentication protocol called HTTPsec:
http://httpsec.org/protocol/1.0/
This provides unilateral or mutual authentication using RSA public
keys, or symmetric keys if pre-shared, applicable to arbitrary
messages. It's somewhat "lighter" than S-HTTP; the latter encapsulates
the entire message, whereas HTTPsec adds a single header containing a
MAC, amongst other directives. Obviously, it requires extra code at
client- and server-side.
Stephan Fowler
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
