[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tjais-dev] Re: [DotGNU]Identity
|
From: |
David Nicol |
|
Subject: |
[Tjais-dev] Re: [DotGNU]Identity |
|
Date: |
Fri, 01 Mar 2002 15:40:51 -0600 |
Hans Zandbelt wrote:
>
> At 15:16 2/28/2002 -0600, David Nicol wrote:
> >I have an apprentice working on templatizing the HTML pages
> >involved in the six-stage handshake and writing identity client
> >code in Java as well as Perl -- for an authenticated identity service
> >as described at my web page . Anyway, here's some ASCII - UML
> >describing how the handshake works:
> <snip>
> >Advice, dissent?
>
> Please have a look at http://idsec.sourceforge.net which
> describes an identity system (IDsec, a DotGNU
> project proposal) that uses a similar handshake for
> identity establishment.
>
> Hans.
What I want to do, and which my AIS client will provide, and
which is not available directly from that web page (nor from
AIS's web page http://www.tipjar.com/nettoys/TJAIS.html or
http://savannah.gnu.org/projects/tjais/
And I will gladly just concede this space to IDsec if you can
provide me with this piece :)
Is, have a program or module or run-time function which can
be included, with appropriate parameters concerning, such
things as behavior on negative response, in a Perl CGI program,
like so:
require "IDsec.pl";
and this is all the client program has to do to populate
a well-known or pointed-to variable with an authenticated
user-name.
Obvious parameters include the name of the identity server
to authenticate against and a reference to a buffer to load
the identity into, extending the invocation to something like
use dgAIS server => 'dgID.idsec.net' , buffer => \$USER_ID;
or, with a group of servers,
use dgAIS serverlist => [qw{
dgid.idsec.net ais.tipjar.com ais.yahoo.com ais.msn.net}],
buffer => \$user::user_id;
Anyway, this would be embedded within another program that handles sessions
for users of the web service, so the identity service only needs to get
hit when a new session is created.
For instance, the calendar application I am working on does, for instance,
in part of it, something similar to:
@user::required_privs = qw{ view post useredit };
...
require "user.pl";
and user.pl is responsible for:
loading the session record if one exists, otherwise
creating a session record by requiring the identity module,
which does the handshake, which involves
issuing a Location: header and exiting and then
handling the next step when we return, looking up
the user in the local privelege database, loading
the identity and the privs into a session record,
serving a session cookie
checking the session's privs and exiting with an
insufficient priv error message if needed
That's the point of the AIS module, usability from the client-writing
perspective.
Is there C or Perl code available that can be dropped into the
"Get Identity" part of the above sequence of events? I will gladly
switch from a system of my own devisement to an equivalent one that
already has the blessing of the IETF if it is a drop-in replacement
providing the same functionality.
--
David L Nicol, humble system administrator (816) 235 1187
"... security through transparency." -- Margareta Wolf
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Tjais-dev] Re: [DotGNU]Identity,
David Nicol <=