Re: CGI/1.0: last call

Bill Janssen <janssen@parc.xerox.com>
Message-id: <sh2HIHQB0KGWNGkllD@holmes.parc.xerox.com>
Date: 	Fri, 10 Dec 1993 18:48:51 PST
Sender: Bill Janssen <janssen@parc.xerox.com>
From: Bill Janssen <janssen@parc.xerox.com>
To: www-talk@nxoc01.cern.ch,
        "Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
Subject: Re: CGI/1.0: last call
Cc: p.lister@cranfield.ac.uk
In-reply-to: <9312061438.AA03185@xdm039.ccc.cranfield.ac.uk>
References: <9312061438.AA03185@xdm039.ccc.cranfield.ac.uk>
Excerpts from ext.WorldWideWeb: 6-Dec-93 Re: CGI/1.0: last call Peter
Lister@cranfield.a (661)

> > Authentication must be the responsibility of the script writer.  While

Interesting.  I just returned from a meeting where various security
experts impressed on me just how bad an idea that is, as it increases
the amount of code in the "Trusted Computing Base" unmanageably.  They
felt that such a system could never be rated secure.

> What he said. Any authentication mechanism must allow for any
> authentication data to be passed to the server. I want to write HTML
> front ends to various Kerberos authenticated doobreys, and I MUST be
> able to pass a ticket to the server, and preferably also encrypted data
> using the Kerberos session key.

Well, perhaps as an option.

Bill