[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication

To: John Panzer <jpanzer@xxxxxxx>
Subject: Re: Authentication
From: Joe Gregorio <joe@xxxxxxxxxxxxxx>
Date: Fri, 08 Aug 2003 12:37:54 -0400
Cc: atom-syntax@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-atom-syntax@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3) Gecko/20030312

John Panzer wrote:

Joe Gregorio wrote:

...

How should authenication and security be handled? Are Basic and Digest good enough?

Okay, I'll bite..

Thanks John for jumping in.

Basic auth sends passwords in the clear; unfortunately this is something my service (AOL Journals) isn't able to support due to the major security issues. Digest auth, or Basic auth+SSL, are probably good-enough minimums for handling authentication at the HTTP transport level. Digest authentication does not send passwords in the clear, has some provision for protection against replay attacks and message modification, should work with proxies and caches if desired, and is pretty well documented: http://www.ietf.org/rfc/rfc2617.txt . However, I've heard a concern that some blog tools can't require that third party hosting providers have Digest auth enabled on their servers. So it might not be possible to require this across the board. I'd love to see a discussion of this; is it really an issue?

I do not want to express any opinion on auth/security, but I do want to point out a distinction that your response highlights, that there are two ends of this communication. That is, there is the auth mechanism that the server can handle and the auth mechanism that the client can handle.

Let me make some wild suppositions to make my point, and to
give others something to shoot down :)

1. The auth mechanism chosen doesn't really matter for the client side. Let's be realistic, if AOL Journals goes with Digest authentication only and you are a vendor of client side tools, *you will find a way support Digest*.

2. The auth mechanism chosen does matter on the server-side, but it depends on how big you are. A. If you are large then security matters, you have control over your servers, and because of that you can implement the security mechanism of your choice. (AOL, Blogger, TypePad, LiveJournal) B. If, on the other hand, you are a smaller site, like a single user install of MT, then either auth: 1. Isn't as high of a concern. 2. It is a concern and you are a power user and would choose a hosting vendor with such things in mind.

In particular I want to note that:

1. I'm offering up this categorization to generate a discussion, I *want*
  people to poke holes in it.
2. SixApart has the unique position of living in two worlds, as it were,
  with MT and TypePad.

Apparently Basic auth + SSL is more easily achievable in those situations. My only concern with this is that it's a bit like swatting a fly with a sledgehammer. On the other hand, if we want to hide the content as well as authenticating, it's a good way to go. This would require SSL libraries on both client (or gateway) and server.

So: I think Basic over https and Digest are both good enough, and at least one should be required.

(Finally, and this would really just be icing, it'd be nice if whatever scheme is picked could accomodate Kerberos session tickets [http://www.ietf.org/rfc/rfc1510.txt], or be extended to do so in the future.)
John  Panzer
AOL Time Warner


	Thanks,
	-joe

--
http://BitWorking.org
http://WellFormedWeb.org

Follow-Ups:
- Re: Authentication
  - From: Gary F

References:
- Authentication
  - From: Joe Gregorio
- Re: Authentication
  - From: John Panzer

Prev by Date: Re: Should a response body for errors be standardized?
Next by Date: RE: some minor 0.2 corrections
Previous by thread: Re: Authentication
Next by thread: Re: Authentication
Index(es):
- Date
- Thread