[2930] in WWW Security List Archive
Re: S/KEY authentication over HTTP protocol
daemon@ATHENA.MIT.EDU (Adam Shostack)
Wed Sep 11 22:52:28 1996
From: Adam Shostack <adam@homeport.org>
To: mess@bae.bellcore.com (Mike E. Straw)
Date: Wed, 11 Sep 1996 21:26:10 -0500 (EST)
Cc: calai@ncspo3.ncs.com.sg, www-security@ns2.rutgers.edu
In-Reply-To: <9609111328.AA04119@piano> from "Mike E. Straw" at Sep 11, 96 09:28:17 am
Errors-To: owner-www-security@ns2.rutgers.edu
Mike E. Straw wrote:
| Charles:
|
| I'm an S/key enthusiast and have though of using S/key in a web environment.
| However the biggest stumbling blocks I see with using S/key are:
|
| 1. S/key is "session oriented" (authenticate once and you have access
| to the protected resources), while web access is stateless,
| every page is a new session oriented.
You might drop the S/key token in a short lived cookie (say,
15 minutes), and not update skeykeys until the cookie dies?
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
