Re: [Auth]Project discussion

[Chris Hecimovic]

On July 14, 2001 10:29 am, you wrote:

> a) create a simple/small browser plug-in that manages an
>      encrypted local database of personal information
>      (no third-party servers for auth whatsoever, use
>      the Netscape plug-in API, keep everything really
>     simple).
>
> b) create a simple specification for how web servers can
>      request personal information from this plug-in using
>      existing web standards (might not be much more
>      complicated than creating a request in the form
>      of an XML file, then referring to that file's URL in
>      your web page via an <embed> tag).
>
> c) implement the plug-in for the top browsers, try out the spec
>      on some web sites, and then submit the spec to the W3C
>      process.
>
> With the right group of talent, it seems like this could all be done
> within a few weeks, and offer an immediate alternative to Passport
> for the very limited uses the vast majority of users make of
> Passport today.

Good thoughts. I have some questions:

1. You mention authenticating to a web server. For now, this is obviously the 
site to which they are connecting. Will the user ever be authenticating to a 
gatekeeper (presumably their ISP) in the future? 

2. What authentication method are you suggesting? I would like to avoid 
passwords. Is .NET using Kerberos? Perhaps we should think along these lines 
(Neuman-Stubblebine also). I know this is an implementation detail, but it's 
actually kind of important at this stage.

3. When you say "personal information", what are you thinking of? Data that 
normally gets stored in cookies?

Let's hash this out a bit and then come up with some requirements. Then let's 
think about architecture (APIs, plugins, etc.) 

Christian