[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocol Authentication

To: "Atom Protocol" <atom-protocol@xxxxxxx>
Subject: Re: Protocol Authentication
From: "John Panzer" <"JPanzer"@aol.net>
Date: Mon, 28 Mar 2005 10:43:50 -0800
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
Organization: AOL
Sender: owner-atom-protocol@xxxxxxxxxxxx

(I recently discovered that some of my email from one of my email 
clients was being blocked from the mailing list*.  Of the messages that 
went missing, I think this is the only one that might possibly be of 
interest at this point.)

(*Due to my having to put double quotes around the user name part of the 
email address for complicated reason -- fun w/normalization!)

Joe Gregorio wrote on 3/21/05, 7:56 AM:

   >
   > On Fri, 18 Mar 2005 14:07:29 -0800 (PST), John Panzer
   > <"jpanzer"@aol.net> wrote:
   > >  In this context, 'support' is a bad word (I knew this, and just
   > listened to
   > > a talk by Karl Wiegers that highlighted this as a word to avoid in
   > specs).
   > > Here's my interpretation of 'support HTTP X Auth':
   > >
   > >  "An Atom server which requires authentication for a particular
   > request, and
   > > which receives a request lacking authentication [1], shall respond
   > with a
   > > 403 and a WWW-Authenticate: challenge to the client.  Such a
   > challenge MUST
   > > include the HTTP X[2] Auth scheme.  Further, an Atom server which
   > requires
   > > authentication for a particular request, and which receives an
   > otherwise
   > > unauthenticated request containing a WWW-Authenticate: header
   > providing HTTP
   > > X Auth information, MUST use the provided HTTP X Auth information to
   > attempt
   > > to authenticate the requestor.  A server SHOULD ignore HTTP X Auth
   > > information if, and only if, it has already authenticated a request
   > using
   > > some other mechanism."
   >
   > I'm not even sure we should go that far in restricting things, doesn't
   > the above wording rule out using TLS and IPSec, which I vaguely recall
   > can both supply authentication?

I've used 'client auth' with TLS, which basically means having a
certificate (and hence public key) for the individual client/user.  This
would provide authentication on the initial request as part of TLS, so
the request would not be 'lacking authentication'.

Regarding challenge-request protocols:  If the custom protocol uses the
extension mechanism of WWW-Authenticate:, I don't think there's a
problem, as the server would include both schemes on the
WWW-Authenticate: challenge and the client could pick either one.  But I
have not done this myself. :)

-John

Prev by Date: Re: issue: draft posts
Previous by thread: draft-sayre-atompub-protocol-basic-00
Index(es):
- Date
- Thread