[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Auth]meeting notes and LOC

From: Barry Fitzgerald
Subject: Re: [Auth]meeting notes and LOC
Date: Wed, 10 Jul 2002 07:46:29 -0400

david nicol wrote:
> I think requiring users to get additional software is not acceptable.
> Cookies
> provide plenty of data.

Cookies have security issues associated them.  Sure, you could use
session cookies and you could pass them encoded (which only provides
menial security, at best - where a casual onlooker to your data stream
would simply have to snatch up the encoded cookie data and decode it)
and over SSL and have some basic level of protection.  

But, I think that more so, this represents a misunderstanding that is
quite common.  It's something I was originally confused about and it's
something that I figured out fairly early on.

Webservices != web browser.

Microsoft happens to be solving this by tying the web browser in with
the rest of the operating system.  This is a bad (very very very bad)
design decision from almost any perspective that you can come from. 
But, it is creating a lot of confusion around the concept of

Web Services may be provided using web protocols, but the client does
not have to be a web browser, which means that a cookie dependant
authentication system (like passport) for GNU/Linux will not meet the
authentication requirements.

Now, having said that, for the current auth projects to implement an
mod_dgauth apache module that supplies a cookie-based interface to their
designs -- well, that would be a very interesting proposition.

I also happen to think that having the user install extra software is
not a negotiable issue.  We can't get secure infrastructures onto
systems magically -- they simply don't exist the way that we need them
to exist on certain OS' to make it reasonably possible to lean on a
thin-client only model. 


reply via email to

[Prev in Thread] Current Thread [Next in Thread]