Re: Authentication across multiple proxied servers

Daniel W. Connolly (connolly@hal.com)
Fri, 9 Sep 1994 00:12:49 +0200

In message <199409082113.RAA09572@postman.osf.org>, "W. Scott Meeks" writes:
>How does authentication work across multiple proxied servers? Can each
>server handle authentication independently, or is it confined to the first
>server or the browser?

Ah! Forwarding of credentials! When I read the HTTP and SHTTP specs,
I found this sorely lacking.

By the way... has anyone out there read the SHTTP spec enough to
understand just how it provides for spontaneous secure transactions?

Supposedly, two parties who have no previous knowledge of each other
can spontaneously begin a secure transaction using SHTTP. I read
that RFC three times, and I couldn't find the trick. I came away feeling
this was some deep RSA voodoo, not to be disclosed without a license.
But the more I think about it, the less I believe it.

Some relevant references:

HTTP:
http://www.commerce.net/cgi-bin/textit?/information/standards/drafts/shttp.txt

SHTTP:
http://info.cern.ch/hypertext/WWW/Protocols/HTTP/HTTP2.html

TAOS authentication (a system that has forwarding of credentials):
ftp://gatekeeper.dec.com/.2/DEC/SRC/research-reports/SRC-117.ps.Z

Proxy-Based Authorization and Accounting
for Distributed Systems
B. Clifford Neuman
ftp://ftp.cs.washington.edu/tr/1991/02/UW-CSE-91-02-01.PS.Z

I can't seem to find a good reference for Kerberos 4, but I believe
it supports forwarding of credentials.

I haven't read this one, but it looks promising:

AN EXTENSIBLE FRAMEWORK FOR AUTHENTICATION AND DELEGATION
BY
THERON DONALD TOCK
ftp://choices.cs.uiuc.edu/Papers/Theses/MS.Authentication.Delegation.ps.Z

By the way... I found these last few references with Harvest!
Check out:
http://rd.cs.colorado.edu/brokers/cstech/query.html

Dan