Re: Proposal for new HTTP 1.1 authentication scheme

Scott Lawrence (lawrence@agranat.com)
Thu, 11 Dec 1997 09:24:05 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Scott Lawrence: "Re: What is Content-Length?"
Previous message: Larry Masinter: "Re: What is Content-Length?"
In reply to: Eric_Houston/CAM/Lotus@lotus.com: "RE: Proposal for new HTTP 1.1 authentication scheme"

>>>>> "EH" == Eric Houston:

EH> Two new refinements that I would like to make:

EH> 1) When the content server redirects the request to the authentication
EH> server, it encrypts the ACL for the protected resource.  The authentication
EH> server then validates the user against the (decrypted) ACL

  Whoa - this is authentication, not authorization.  The purpose is to
  provide a trustable identity for the end user without exposing the
  means of doing so to the world, not to do access control.  Access
  control depends on authentication, but authentication does not
  include access control.  I believe that any discussion of ACLs is
  out of scope for this specification.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Next message: Scott Lawrence: "Re: What is Content-Length?"
Previous message: Larry Masinter: "Re: What is Content-Length?"
In reply to: Eric_Houston/CAM/Lotus@lotus.com: "RE: Proposal for new HTTP 1.1 authentication scheme"