[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth]Project discussion
|
From: |
Chris Whip |
|
Subject: |
Re: [Auth]Project discussion |
|
Date: |
Tue, 17 Jul 2001 10:23:52 -0700 |
|
User-agent: |
Mutt/1.2.5i |
On Mon, Jul 16, 2001 at 10:49:13AM +0930, Nick Lothian wrote:
> > And any architecture that doesn't require trusted client-side software
> > makes it impossible to implement a scheme that doesn't entirely trust
> > J. Random Website with your secret key, but instead permits a trusted
> > third party to mutually authenticate client and server, a la Kerberos.
>
> Not unless the authentication is actually done on the passport/Auth.GNU
> site, and then the browser sent back to the site that requires
> authentication.
You're right, of course. I failed to express one of the assumptions I was
making, which is that the auth server that the web site trusts is not
necessarily an auth server that the client trusts.
To handle that, either the web site offers a range of login links for
alternative auth providers (which isn't gonna happen, because it's a
UI nightmare) or the client and server negotiate a mutually acceptable
authentication provider, through a protocol which facilitates that.
This is probably not what the first version of auth.gnu should be about,
though. It also relies on web sites accepting a decent range of authentication
servers, which may be a problem.
Cheers,
-- Chris Whip