Authentication *before* GET?
"Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
Errors-To: listmaster@www0.cern.ch
Date: Fri, 11 Mar 1994 14:16:20 --100
Message-id: <9403111256.AA02620@xdm039.ccc.cranfield.ac.uk>
Errors-To: listmaster@www0.cern.ch
Reply-To: P.Lister@cranfield.ac.uk
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: "Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Authentication *before* GET?
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Mailer: exmh version 1.3beta 2/17/94
X-Mailer: exmh version 1.3beta 2/17/94
X-Mailer: exmh version 1.3beta 2/17/94
X-Mailer: exmh version 1.3beta 2/17/94
X-Mailer: exmh version 1.3beta 2/17/94
Content-Length: 1093
Sorry, pressed the send button a touch early.
One thing which could be misinterpreted
Key-info: KerberosIV-session-key
This is intended to convey that the server is telling the client to use the
Kerberos session key for encryption; *not* that either party should actually
quote the key over HTTP. This would be very, very silly. Actually, thinking
about my later comments, I really want a method for preceding each
request/reply with a header which says that the following text is encrypted
(or not) and the mechanism used.
Also, while I said that a Can-authenticate header should not default to "None"
(so that a very secure server can clearly insist on authentication), browsers
should treat the *absence* of Can-authenticate as "None", to cope with older
servers.
Flame away. :-)
Peter Lister Email: p.lister@cranfield.ac.uk
Computer Centre, Cranfield University Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK Fax: +44 234 750875
--- Go stick your head in a pig. (R) Sirius Cybernetics Corporation ---