Minimal Authorization

Michael A. Dolan (miked@CERF.NET)
Fri, 12 Aug 1994 10:38:35 -0700


Has there been any recent discussion in regard to a minimal authorization
for HTTP ?

SHEN and the other proposals that have come up recently are fine
and serve a good purpose. However, I think there is a need for some
minimal authorization, low-security mechanism for some applications.

While I'm sure the security purists will object to passwords and HTTP
objects sent in the clear, I think there are, in the near term, many
applications that require security only "as good as what they're using now"
(ie passwords and text sent in the clear). A good application of this
was demonstrated by Mr. Freeman-Benson's paper in Geneva.

Anyone here wish to comment on the appropriateness of such an implementation ?
I am thinking of simply implementing the "Authorization" field "user" scheme
as it is loosely proposed in the 11/93 HTTP spec and "implemented by AL Sep
1993".

Ari - if you're listening - any comments or words of wisdom on your
ACCESS_AUTH code ?

Mike
-----------------------------------------------
Michael A. Dolan - <mailto:miked@cerfnet.com>
TerraByte Technology (619) 445-9070, FAX -8864