[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Protocol Authentication (was Re: Collection convergence?)
Robert Sayre wrote:
* authentication
obvious editorial issue. This section is over-specified and already
being flaunted. Out it goes. Point to CGI auth? Sure. Someone write
it.
How is it being flaunted? Would be helpful to know.
I believe we do need a "greatest common denominator" authentication
specification for interoperability, but could be convinced otherwise.
I believe this is the current text:
---
3.7 Securing the Atom Protocol
All instances of publishing Atom entries SHOULD be protected by
authentication to prevent posting or editing by unknown sources.
Atom servers and clients MUST support one of the following
authentication mechanisms, and SHOULD support both.
o HTTP Digest Authentication [RFC2617]
o [@@TBD@@ CGI Authentication ref]
Atom servers and clients MAY support encryption of the Atom session
using TLS [RFC2246].
There are cases where an authentication mechanism may not be
required, such as a publicly editable Wiki, or when using the PostURI
to post comments to a site that does not require authentication to
create comments.
---
Perhaps a bit overspecified. But throw it out completely?
Let's say that we said nothing about authentication. How would clients
and servers interoperate? Are you thinking that all implementers on
both sides would just support naturally support HTTP Digest?
I don't think things are that automatic, personally. For example, I've
gotten advice that TLS is needed to prevent replay attacks (even if
using HTTP Digest). Therefore, absent any spec, I'd probably require
TLS and HTTP Basic (and possibly allow Digest if trivial to do) for AOL
Journals. Would this be interoperable with all clients?
(I don't know what 'CGI Authentication' is supposed to mean in this
context -- I'd like to see a writeup too.)
-John