On 6/27/06, Robert Sayre <[EMAIL PROTECTED]> wrote:
On 6/26/06, Stephan Fowler <[EMAIL PROTECTED]> wrote:
>
> Notwithstanding Phil's point about protocol issues being out of scope,
> which is likely correct, I'll nevertheless mention a recent
> authentication protocol called HTTPsec:
> http://httpsec.org/protocol/1.0/
Interesting. But, I have a question. How does the client know to send
the Authorization: initialization header in the first request?
Consider:
(1) Reactive authentication: the server responds to a unauthenticated
request with a "WWW-Authenticate: httpsec/1.0 challenge" header (kinda
à la Digest auth), invoking the client to retry with an initialization
header.
(2) Active authentication of server: Client sends the initialization
because it has the policy of doing so for specific sites, and has
prior notions of the public-keys that those sites must authenticate
against. Imagine bookmarks that associate URLs with server public
keys. On selection of such a bookmark, client would send an
initialization bearing a "responder-auth" directive.
(3) Active client authentication: Suppose bookmarks associate URLs
with a *client* private key. On selection of such a bookmark, the
client would sends an initialization bearing a "requester" directive
containing a reference to its public key.
Note that 1 is normative, whereas 2 and 3 are use-cases applicable
when "client" means a browser (I say that because we initially
developed this for server-to-server interactions, e.g. ReST, web
services etc, which represent another set of use-cases). The bookmark
thing is something we are experimenting with at the moment.
Stephan
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
