Re: authentication cleanups

Mary Ellen Zurko (zurko@osf.org)
Fri, 11 Nov 1994 02:58:32 +0100

> In a way, yes. But truly anal security fiends would say that this is
> divulging potentially sensitive information.

We would not! :-) We would say "What is your security policy? Is that
information world readable?" and "What is the strength of your
security system? Is it easy enough to spoof so that it doesn't
matter?". Since tcp addresses are spoofable anyway, making security
less friendly is only encouraging people to work around it, which
makes it less secure. User-friendly security _is_ better security.

> They get nervous when you
> tell folks the difference between "file not found" and "unauthorized".

Only if you've got a Mandatory Access Control policy, that mandates
that folks with a Confidential clearance can't know the names of Top
Secret files, since their names are Top Secret too. Anybody with this
policy isn't using the standard WWW security mechanisms :-).

> As long as you're using the basic authentication scheme, you're certainly
> not in the league of anal security fiends, and this may be OK.

Exactly.
An anal security (and usability) fiend,
Mez