Re: Access Authorization

cailliau@cernnext.cern.ch
From: cailliau@cernnext.cern.ch
Date: Fri, 17 Sep 93 18:49:12 +0200
Message-id: <9309171649.AA00908@www2.cern.ch>
To: marca@ncsa.uiuc.edu (Marc Andreessen), www-talk@nxoc01.cern.ch
Subject: Re: Access Authorization
Cc: ari@cernnext.cern.ch
Status: RO
Hi Marc and all,

Let me just point out what we are trying to do:
In a large collaboration for high-energy physics, there are many  
servers. All people in the collaboration want access to the  
collaboration-private data, they want to use a simple password  
scheme, they want to give their password only once per www session  
and they do not want to have accounts on all those machines. So we  
want what Ari is trying to do.

We want a lock on the door, or, as one British lock company allegedly  
once advertised: "our locks keep honest people out", in other words,   
the lock tells you: if you break in here, you are trespassing and you  
are not playing the game, but we cannot guarantee that really  
dishonest people will steal by what ever means. Let me also say that  
you have to trust the system administrators etc...

Now, if I were a banking institution, I would keep the handling of my  
customer's money transactions miles away from the Internet and Unix  
anyway.

So that is what I want Ari to do: provide a lock that is easy to use  
and does not cause headaches to the system administrators. We will  
probably have to duplicate the password files on all servers in a  
collaboration (unless we introduce a third machine in the exchange),  
and we will not use Unix schemes (because they do not apply on  
non-Unix platforms).

Kerberos etc. will eventuially come and maybe even scale to include  
all of humanity.
I think that the way things are designed is open enough for different  
schemes and higher security later on.

---
Robert Cailliau  cailliau@cernnext.cern.ch
World-Wide Web Project
CERN -- European Laboratory for Particle Physics
CH-1211 Geneve 23 (Switzerland)
Tel. +41 22 767 5005