[710] in WWW Security List Archive
Req for HTTP Sec questions
daemon@ATHENA.MIT.EDU (Mary Ellen Zurko)
Wed May 17 15:35:07 1995
From: zurko@osf.org (Mary Ellen Zurko)
To: www-security@ns2.rutgers.edu
Date: Wed, 17 May 95 10:28:28 EDT
Cc: zurko@osf.org (Me)
Errors-To: owner-www-security@ns2.rutgers.edu
I'm sorry it's taken me so long to share my questions about the
HTTPSec internet draft. Answers are appreciated.
> It is envisioned that HTTPSec may
> coexist in a single transaction with such mechanisms, each
> providing security services at the appropriate level, with at
> worst some redundancy of service.
What about user confusion? For instance, if the two services use two
different identities for authentication? You don't cover
authorization, but the identity from authentication can get used for
authorization; how does the user figure out which identity is used?
> To allow user privacy, HTTPSec must support service
> authentication without user authentication.
Isn't this a problem for Kerberos (a pretty popular distributed
authentication server :-)? My understanding is that authentication in
Kerberos is always mutual; the client has to authenticate for the
server to authenticate. If you said "should" instead of "must", that
wouldn't be a problem. I think DCE 1.1 can satisfy at least the spirit
of this requirement, since it has an anonymous identity that can be
used for authentication. However, it would be better if the wording
made clear that that sort of thing was sufficient.
Mez
