[1726] in WWW Security List Archive
Re: User Auth.
daemon@ATHENA.MIT.EDU (Larry J. Hughes Jr.)
Tue Mar 26 18:13:30 1996
To: nneul@umr.edu (Nathan Neulinger)
cc: "S.W. Cheung" <swcheung@hkimd.cig.mot.com>, www-security@ns2.rutgers.edu
In-reply-to: Your message of "Tue, 26 Mar 1996 09:10:52 EST."
<v02130501ad7db80d4646@[131.151.253.33]>
Date: Tue, 26 Mar 1996 14:22:49 -0500
From: "Larry J. Hughes Jr." <hughes@indiana.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
#I've suggested a "Unauthenticate" menu option to netscape many times, but
#it's not like they ever listen to users.
Better yet, integrate this functionality into HTTP so the server
can optionally request that the browser not cache the user's
password. Assuming that the browser is well-behaved (which is
obviously a big assumption these days :-) the net effect would be
a one-time, non-sticky authentication.
This scheme would interoperate with both basic auth and digest
auth. To boot, the otherwise braindead basic auth protocol could
be leveraged to implement a one-time password scheme (like S/KEY).
It's on my wish list.
---
Larry J. Hughes, Jr. hughes@indiana.edu
Indiana University http://copper.ucs.indiana.edu/~hughes/
* Author, "Actually Useful Internet Security Techniques," ISBN 1-56205-508-9 *
