HTRQ and Kerberos

Dave_Raggett <dsr@hplb.hpl.hp.com>
From: Dave_Raggett <dsr@hplb.hpl.hp.com>
Message-id: <9305261228.AA02564@manuel.hpl.hp.com>
Subject: HTRQ and Kerberos
To: sanders@bsdi.com
Date: Wed, 26 May 93 13:28:09 BST
Cc: www-talk@nxoc01.cern.ch
Mailer: Elm [revision: 66.36.1.1]
Tony Sanders writes (Sun, 23 May 1993)

> What are you browser writers thinking about supporting wrt HTTP/1.0 request
> headers (e.g., see the kerberos proposal below)?  We need to think about
> how to implement the ChargeTo: and Authorization: headers in a generic
> way so the browser can easily support different styles.  I would
> like to see From:, User-Agent:, and Referer: being used (currently
> I've only seen "Accept: text/plain" and "Authorization: user xxx").

I am successfully using the Authorization field within Hewlett Packard
for providing restricted access to Web documents:

Two formats:

    a)  Authorization: user fred:secret
    b)  Authorization: user fred

When the browser gets error code 401 (unauthorized) it asks the user
for a username and password. This is then included as (a) in all subsequent
queries to the same server (same protocol, port and host name). By default
the browser always sends the user name as (b) which it obtains from the
environment variable "USER". This avoid the need for users to type
anything if they are known to the server via the .rhosts or /etc/hosts.equiv
mechanism.

This approach matches our needs well, and corresponds to the standard level of
security offered with FTP, rlogin and telnet. Its really great to see someone
extending this to support Kerberos!

I have also been studying the privacy enhanced mail proposals and the general
field of authentication and encryption based on public key techniques. These
techniques require the setup of registration authorities that permit you to
look up the public key for any person on the system.

Such an approach would allow servers to use the registered public key of a
client to check that a request indeed originated from that client.
Furthermore it would allow clients to be certain that a document obtained
from a server is indeed by whom it claims to be and hasn't been altered in
anyway whatsoever.

To do this we will need to define authentication formats for both HTRQ
and MIME headers. This needs to be done in concert with other groups in
the Internet. Is anyone interested in picking this up?

Regards,

Dave Raggett