Re: Insecure WWW Access Authorization Protocol?

michael shiplett <michael.shiplett@umich.edu>
Errors-To: listmaster@www0.cern.ch
Date: Tue, 8 Mar 1994 23:21:01 --100
Message-id: <199403082215.RAB05451@totalrecall.rs.itd.umich.edu>
Errors-To: listmaster@www0.cern.ch
Reply-To: michael.shiplett@umich.edu
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: michael shiplett <michael.shiplett@umich.edu>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: Insecure WWW Access Authorization Protocol? 
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 881
"ts" == Tony Sanders <sanders@BSDI.COM> writes:

ts> michael shiplett writes:
>> "ts" == Tony Sanders <sanders@BSDI.COM> writes:
>> The URL is as trustworth as the source of the URL--whether the
>> source is in or out of band.
ts> If you cannot trust the server reply to get the realm information from
ts> then why do you think you can trust the URL?  You have exactly the
ts> same problems as when you started.

  Currently there is no mapping between the URL and the server's
identity--this is correct. I am proposing that the client authenticate
to an identity based on the URL. In this proposal I am not trusting
the server to give *any* information regarding its identity. As long
as the URL for a given service is trusted, authentication to said
service can proceed in a secure manner. Everything proceeds from a URL
not from the initial connection to the service.

michael