Re: Access Authorization
Tony Sanders <sanders@bsdi.com>
Errors-To: sanders@bsdi.com
Errors-To: sanders@bsdi.com
Message-id: <9309141644.AA24800@austin.BSDI.COM>
To: wa@mcc.com (Wayne Allen)
Cc: www-talk@nxoc01.cern.ch
Subject: Re: Access Authorization
In-reply-to: Wayne Allen's message of Tue, 14 Sep 93 10:02:36 CDT.
Errors-To: sanders@bsdi.com
Reply-To: sanders@bsdi.com
Organization: Berkeley Software Design, Inc.
Date: Tue, 14 Sep 1993 11:44:30 -0500
From: Tony Sanders <sanders@bsdi.com>
Status: RO
> The reason the authentication protocol must be conducted over the same
> connection as the data transmission is that the server cannot be
> absolutely sure from one connection to the next whether it is talking
> to the same client. That's the whole point of authentication, after
> all.
You do can do some authentication using a single request.
Here is what I think you want for more complex protocols. Note that this
is a departure from the current proposal because putting the authorization
scheme after "401" code is too limiting. Consider this a request to
change the proposal.
client:
GET /document HTTP/1.0\r\n
\r\n
server:
HTTP/1.0 401 Unauthorized
Authenticate: External-KerberosIV, realm="bsdi.com",priciple="foo"
Authenticate: PK-reverse, principle="joe's-computers"
Authenticate: basic; kerberos
Example of OUT-OF-BAND Authentication
=====================================
client:
GET /document HTTP/1.0\r\n
...
Authorization: External-KerberosIV\r\n
\r\n
[kerberos bits]
server:
[kerberos bits]
client:
[kerberos bits]
server:
HTTP/1.0 200 Document follows
...
Content-type: text/html
\r\n
<HEAD>...</HEAD><BODY>...</BODY>
Example of IN-BAND Authentication
=================================
client:
GET /document HTTP/1.0\r\n
...
Authorization: PK-reverse key="987f98e987a987b987c98"
\r\n
server:
HTTP/1.0 200 Document follows
...
Content-type: text/html
\r\n
<HEAD>...</HEAD><BODY>...</BODY>
--sanders