[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication

To: Simon Fell <SFell@xxxxxxxxxxxx>
Subject: Re: Authentication
From: Sam Ruby <rubys@xxxxxxxxxxxxxxxx>
Date: Fri, 08 Aug 2003 14:32:10 -0400
Cc: "'atom-syntax@xxxxxxx'" <atom-syntax@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-atom-syntax@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312

Simon Fell wrote:

Joe Gregorio wrote:

> How should authentication and security be handled? Are Basic and Digest good enough?

An alternative question would be, if we cook up a custom solution, would it be any easier to code, deploy, use or be any more secure ?

I see no reason to specify anything more than use HTTP's existing options for authentication, confidentiality and tamper proofing as required. With perhaps something that points out guidelines and/or best practices.

This is not an either/or.

There are existing solutions that allow application level authentication. For example:

http://www-106.ibm.com/developerworks/library/ws-trust/#Challenges
http://www-106.ibm.com/developerworks/library/ws-trust/#PasswordBasedKeyExchange

And not to name drop, but look at the author list on this specification.

The issue with transfer level authentication is that it is difficult to mandate given the number of weblogs which are deployed to simple CGI based servers. This would create support issues for products like MovableType.

Cheers
Simon
www.pocketsoap.com

- Sam Ruby

References:
- Re: Authentication
  - From: Simon Fell

Prev by Date: Re: some minor 0.2 corrections
Next by Date: Re: Should a response body for errors be standardized?
Previous by thread: Re: Authentication
Next by thread: RE: Authentication
Index(es):
- Date
- Thread