[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Auth]meeting notes and LOC
|
From: |
Barry Fitzgerald |
|
Subject: |
Re: [Auth]meeting notes and LOC |
|
Date: |
Wed, 10 Jul 2002 16:46:05 +0000 (UTC) |
On Wed, 10 Jul 2002, Mario D. Santana wrote:
> > Cookies have security issues associated them. [...]
> >
> > But, I think that more so, [...]
> > Webservices != web browser.
>
> I agree. But there are situations where either there is no choice (do
> it with a browser or not at all,) or the convenience outweighs the
> security concerns.
>
Agreed.
> The answer, of course, is to push the cookies away from the framework.
> Cookies are only the way we'll protect resources that are served to
> thin-client browsers. For webservice resources that serve custom or
> extensible or otherwise "smart enough" clients, we can go to town. Both
> types of security will use the same framework.
>
That's why - if you've got to use Cookies for something (or it is
beneficial) I'll put my support behind an apache mod_dgauth that refers
back to the original authentication and profiling mechanism... that way,
you sort of get the best of both worlds.
>
> As always, it's about choice. Don't lets assume we know what's best for
> the user/integrator/developer.
>
Firmly agreed - but we have an obligation to produce the most
well-designed solution first and then build around that to make it easier
and to provide more choices. But, we can't forget out mandate: 1) It
must be a Free Software alternative 2) It must be more secure than the
alternatives and non-centralized. Now, there's only so far that one can
go with decentralization. You're going to have authentication
authorities. But, the important point is to have that be as flexible as
possible.
I'm just rehashing the points to keep us on track. :) Great discussion
starter, though, David and Mario. Let's start looking at how a mod_dgauth
would work...
-Barry