[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocol Authentication (was Re: Collection convergence?)

To: John Panzer <jpanzer@xxxxxxx>
Subject: Re: Protocol Authentication (was Re: Collection convergence?)
From: Robert Sayre <mint@xxxxxxxxxxxxxxx>
Date: Tue, 15 Mar 2005 08:34:32 -0500
Cc: Tim Bray <Tim.Bray@xxxxxxx>, Atom Protocol <atom-protocol@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <> <> <> <> <> <> <>
Reply-to: mint@xxxxxxxxxxxxxxx
Sender: owner-atom-protocol@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.9 (Windows/20041103)

I'll try to outline how I got here.

John Panzer wrote:

Robert Sayre wrote:
* authentication
  obvious editorial issue. This section is over-specified and already
  being flaunted. Out it goes. Point to CGI auth? Sure. Someone write
  it.
How is it being flaunted? Would be helpful to know.

Blogger supports BASIC over SSL only. Were MSN Spaces to support the protocol (hahaha), they wouldn't be able to either because they use passport.com sign-ons with expiring tickets. Beyond that, you'll start seeing sites using cookies (I'm shocked, just shocked) after the initial exchange, because it's much cheaper on the CPU and DB. There are many DAV implementations that do this now.

I believe we do need a "greatest common denominator" authentication specification for interoperability, but could be convinced otherwise.

I wish we could do that, but we can't, IMHO.

Perhaps a bit overspecified. But throw it out completely? Let's say that we said nothing about authentication. How would clients and servers interoperate?

Every client will have a large switch statement in their auth code.

I don't think things are that automatic, personally. For example, I've gotten advice that TLS is needed to prevent replay attacks (even if using HTTP Digest). Therefore, absent any spec, I'd probably require TLS and HTTP Basic (and possibly allow Digest if trivial to do) for AOL Journals. Would this be interoperable with all clients?

Nope, that's the problem. In particular, CGI programs such as Movable Type, Blosxom, and Ruby on Rails can't use it.

(I don't know what 'CGI Authentication' is supposed to mean in this context -- I'd like to see a writeup too.)

"CGI authentication" is the WSSE-based authentication[0] used in many draft-gregorio-09 implementations. Should the nonce be base64-encoded when appearing in a header? Only you can decide.

Robert Sayre

[0] http://www.google.com/search?hl=en&q=atom+authentication&btnG=Google+Search

Follow-Ups:
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: John Panzer
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Robert Sayre

References:
- Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Re: Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Re: Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Protocol Authentication (was Re: Collection convergence?)
  - From: John Panzer

Prev by Date: Protocol Authentication (was Re: Collection convergence?)
Next by Date: Re: Protocol Authentication (was Re: Collection convergence?)
Previous by thread: Protocol Authentication (was Re: Collection convergence?)
Next by thread: Re: Protocol Authentication (was Re: Collection convergence?)
Index(es):
- Date
- Thread