[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth]meeting notes and LOC
From: |
Barry Fitzgerald |
Subject: |
Re: [Auth]meeting notes and LOC |
Date: |
Wed, 10 Jul 2002 07:46:29 -0400 |
david nicol wrote:
>
>
> I think requiring users to get additional software is not acceptable.
> Cookies
> provide plenty of data.
>
Cookies have security issues associated them. Sure, you could use
session cookies and you could pass them encoded (which only provides
menial security, at best - where a casual onlooker to your data stream
would simply have to snatch up the encoded cookie data and decode it)
and over SSL and have some basic level of protection.
But, I think that more so, this represents a misunderstanding that is
quite common. It's something I was originally confused about and it's
something that I figured out fairly early on.
Webservices != web browser.
Microsoft happens to be solving this by tying the web browser in with
the rest of the operating system. This is a bad (very very very bad)
design decision from almost any perspective that you can come from.
But, it is creating a lot of confusion around the concept of
webservices.
Web Services may be provided using web protocols, but the client does
not have to be a web browser, which means that a cookie dependant
authentication system (like passport) for GNU/Linux will not meet the
authentication requirements.
Now, having said that, for the current auth projects to implement an
mod_dgauth apache module that supplies a cookie-based interface to their
designs -- well, that would be a very interesting proposition.
I also happen to think that having the user install extra software is
not a negotiable issue. We can't get secure infrastructures onto
systems magically -- they simply don't exist the way that we need them
to exist on certain OS' to make it reasonably possible to lean on a
thin-client only model.
-Barry