> Any problems with this?
To give an example for public key authentication.
Actually to simplify, I distinguish :
- communication between browser and "httpd"
- communication between "httpd" and script
I suppose than "httpd" have all informations and it must send these
informations to the script.
"httpd" can determine :
1) if the script is protected
2) if the script is callable (with the pathname of the script or any
other methods). For me, it is the responsability of the webmaster to verify
all callable scripts on the server.
With this method, you drop the disadvantage in page 2 :
"The server does validate the user's identity, but the client does not
perform server authentication"
(WARNING : in my example "server" is the script, and client is "httpd")
When httpd know that it is a callable and protected script, you have two
possibilities for communications :
1) "httpd" send "AUTH" and receive "AUTH OK"
communication is
httpd script
============> AUTH
AUTH OK <===========
============> PKA
PKB <============
============> KAB(U)
============> KAB(P)
ACC/REJ <============
...
2) "httpd" send "AUTH" and don't receive "AUTH OK"
a) "httpd" can send URL or can close the communication, but it *don't*
send PKA
b) script can accept the URL or reject it.
Any comments, please
Guy Decoux