[3846] in WWW Security List Archive
Re: web server's security -Reply
daemon@ATHENA.MIT.EDU (RL "Bob" Morgan)
Thu Dec 19 05:37:04 1996
Date: Thu, 19 Dec 96 00:14:04 -0800
From: RL "Bob" Morgan <Bob.Morgan@stanford.edu>
To: www-security@ns2.rutgers.edu
In-Reply-To: Your message
<Pine.BSI.3.93.961218153723.11116F-100000@descartes.veriweb.com> of Wed, 18
Dec 1996 15:42:24 -0800 (PST)
Errors-To: owner-www-security@ns2.rutgers.edu
Jeremey Barrett <jeremey@veriweb.com>:
> Whether non-existent or bogus, identd info should never
> be used as a basis for authentication.
Certainly true for the existing identd. See draft-morgan-ident-ext-02.txt in
your favorite Internet Drafts repository for a proposed set of extensions to the
Ident protocol to support strong authentication. Please read the disclaimers in
that doc to the effect that this approach is not a preferred approach to adding
security to a protocol, but is a near-term hack to meet a pressing need. It's
very similar to Project Mandarin's SideCar/FrontCar.
Stanford will be deploying this shortly to support use of our Kerberos 4
infrastructure for authenticating web access. A modified version of pidentd
will be available that includes both UNIX requester and responder. Mac and
Windows responders are mostly done. We'll notify this list when distributions
are available.
- RL "Bob" Morgan
ITSS/CCS
Stanford
