[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Auth]Project discussion

From: Chris Whip
Subject: Re: [Auth]Project discussion
Date: Tue, 17 Jul 2001 10:23:52 -0700
User-agent: Mutt/1.2.5i

On Mon, Jul 16, 2001 at 10:49:13AM +0930, Nick Lothian wrote:
> > And any architecture that doesn't require trusted client-side software
> > makes it impossible to implement a scheme that doesn't entirely trust
> > J. Random Website with your secret key, but instead permits a trusted
> > third party to mutually authenticate client and server, a la Kerberos.
> Not unless the authentication is actually done on the passport/Auth.GNU
> site, and then the browser sent back to the site that requires
> authentication.

You're right, of course. I failed to express one of the assumptions I was
making, which is that the auth server that the web site trusts is not
necessarily an auth server that the client trusts.

To handle that, either the web site offers a range of login links for
alternative auth providers (which isn't gonna happen, because it's a
UI nightmare) or the client and server negotiate a mutually acceptable
authentication provider, through a protocol which facilitates that.

This is probably not what the first version of auth.gnu should be about,
though. It also relies on web sites accepting a decent range of authentication
servers, which may be a problem.

-- Chris Whip

reply via email to

[Prev in Thread] Current Thread [Next in Thread]