CGI/1.0: authentication (ts)
Date: Wed, 8 Dec 93 11:07:32 +0100
From: (ts)
Message-id: <>
In-reply-to: Rob McCool's message of Wed, 8 Dec 1993 02:49:13 -0600 <>
Subject: CGI/1.0: authentication
Content-Length: 1782

> I have added YAEV, Yet Another Environment Variable to the CGI spec: AUTH_TYPE.
> This is the protocol-specific method used to authenticate the user. The value
> of this variable would determine what is in the AUTH_USER variable (for
> instance, if it was public key authentication, this may be the user's public
> key). 

> Any problems with this?

 To give an example for public key authentication.

 Actually to simplify, I distinguish :

  - communication between browser and "httpd" 
  - communication between "httpd" and script

 I suppose than "httpd" have all informations and it must send these
informations to the script.

 "httpd" can determine :
   1) if the script is protected
   2) if the script is callable (with the pathname of the script or any
other methods). For me, it is the responsability of the webmaster to verify
all callable scripts on the server.

 With this method, you drop the disadvantage in page 2 :
 "The server does validate the user's identity, but the client does not
perform server authentication"
(WARNING : in my example "server" is the script, and client is "httpd")

 When httpd know that it is a callable and protected script, you have two
possibilities for communications :

 1) "httpd" send "AUTH" and receive "AUTH OK"

 communication is

     httpd                script

            ============> AUTH
    AUTH OK <===========
            ============> PKA
        PKB <============
            ============> KAB(U)
            ============> KAB(P)
    ACC/REJ <============

  2) "httpd" send "AUTH" and don't receive "AUTH OK"

     a) "httpd" can send URL or can close the communication, but it *don't*
send PKA

     b) script can accept the URL or reject it.

 Any comments, please

Guy Decoux