httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucid <lu...@secret.org>
Subject Re: PUT authoring
Date Tue, 18 Jun 1996 22:23:18 GMT
> 
> On Tue, 18 Jun 1996, Rob Hartill wrote:
> > > > Only the user-id is in the cookie. That's safe. 
> > > 
> > > Huh?  So, the server sees "brian" in the cookie, and calls that
> > > authentication?  
> > 
> > no, it sees "brian" and says "ah, I need to generate a challenge for 'brian'"
> > and it sends the challenge. Your client then uses the challenge and the secret
> > password to generate a one-time password which it sends back to gain access.
> 
> Which, by my understanding, was exactly how digest auth worked.  Except
> you don't need to create a challenge specific to "brian", "brian" is sent
> back with the hash of the secret password and the challenge.
> 
> I guess the disconnect I'm having is that one-time-password systems I'm
> familiar with involve some external mechanism to map challenges to
> responses - a piece of paper with challenge/response pairs, a small
> calculator-sized box with an lcd screen, etc - and more importantly, it
> involves a true, unbroken session, as in a telnet session.  HTTP at a
> semantic level (if not a functional level anymore) breaks the connection
> with every object request, so the system which asks for reauthentication
> needs to be automated to some degree, unless you want people to enter a
> new password for every object.  And that's where digest auth fits in, no?
> 
> 	Brian
> 
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS
> 
> 

Check out fetch on the machintosh, It implements S/Key automagickly
you have to enter a diffrent password obtained in a secure manner
(ie. phone, encrypted, etc...) into your system config
for S/Key and it will automagickly do the challenge/responce for you
when ever it is asked for...
the other use is giving people a list of OTPs (1time passwords) that
will give them access to recourses that only need a single session to 
access, ie. pay-per-use schemes

/images/weather/nyc.gif   is a protected resource
you issue 10 OTPs to a user for $1.00  they can then check the weather ten
times, unless they buy more... this also can be automated...if you want... 

-bill

Mime
View raw message