[731] in WWW Security List Archive
Re: Req for HTTP Sec questions
daemon@ATHENA.MIT.EDU (Mary Ellen Zurko)
Mon Jun 5 13:18:17 1995
From: zurko@osf.org (Mary Ellen Zurko)
To: jsimao@fct.unl.pt
Date: Mon, 5 Jun 95 8:54:38 EDT
Cc: www-security@ns2.rutgers.edu, zurko@osf.org
In-Reply-To: <199506021745.TAA01615@stimpy.di.fct.unl.pt>; from "Jorge Paulo Ferreira Simao" at Jun 2, 95 7:45 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> > > To allow user privacy, HTTPSec must support service
> > > authentication without user authentication.
>
> > Isn't this a problem for Kerberos (a pretty popular distributed
> > authentication server :-)? My understanding is that authentication in
> > Kerberos is always mutual; the client has to authenticate for the
> > server to authenticate. If you said "should" instead of "must", that
> > wouldn't be a problem. I think DCE 1.1 can satisfy at least the spirit
> > of this requirement, since it has an anonymous identity that can be
> > used for authentication. However, it would be better if the wording
> > made clear that that sort of thing was sufficient.
>
> I think that the stance of the draft, is to specify what an ideal
> implementation should be. That doesn't mean that all implementations, in all
> modes of operation, should follow exactly what thee draft says.
No offense Jorge, but I'd like to hear an author say that :-) (I'd
settle for Charlie too). The draft pretty carefully uses "must" and
"should"; if this point used "should", I would agree with you.
Mez
