Re: [Auth]meeting notes and LOC

dotgnu-auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Auth]meeting notes and LOC

From:	Mario D. Santana
Subject:	Re: [Auth]meeting notes and LOC
Date:	Wed, 10 Jul 2002 09:11:14 -0400

address@hidden wrote:

> Cookies have security issues associated them. [...]
>
> But, I think that more so, [...]
> Webservices != web browser.

I agree. But there are situations where either there is no choice (do 
it with a browser or not at all,) or the convenience outweighs the 
security concerns.

The answer, of course, is to push the cookies away from the framework.
Cookies are only the way we'll protect resources that are served to
thin-client browsers. For webservice resources that serve custom or
extensible or otherwise "smart enough" clients, we can go to town. Both
types of security will use the same framework.

MACS, for example, is protecting a couple of extranets and a discussion
server. The extranets have cookie-based protection (over SSL and all
that, like you mentioned.) The NNTP service doesn't even have the concept
of cookies -- it's tied into the framework in whichever way makes the
most sense for that particular application.

As always, it's about choice. Don't lets assume we know what's best for 
the user/integrator/developer.

Cheers!

mds

-- 
Be braver -- you can't cross a chasm in two small leaps.

[Prev in Thread]

Current Thread

[Next in Thread]

[Auth]meeting notes and LOC, david nicol, 2002/07/10
- Re: [Auth]meeting notes and LOC, Barry Fitzgerald, 2002/07/10
  - Re: [Auth]meeting notes and LOC, Mario D. Santana <=
    - Re: [Auth]meeting notes and LOC, Barry Fitzgerald, 2002/07/10
    - Re: [Auth]meeting notes and LOC, Mario D. Santana, 2002/07/10
  - [Auth]gnutls, Ken Nowack, 2002/07/10

Prev by Date: Re: [Auth]meeting notes and LOC
Next by Date: [Auth]gnutls
Previous by thread: Re: [Auth]meeting notes and LOC
Next by thread: Re: [Auth]meeting notes and LOC
Index(es):
- Date
- Thread