Re: [squid-users] authentication via cookies

From: Henrik Nordstrom <[email protected]>
Date: Sun, 8 Dec 2002 19:20:03 +0100 (CET)

On 8 Dec 2002, Waitman C. Gobble, II wrote:

> Well, somehow the proxy/server _needs_ to have the ability to ask the
> client to identify itself with a digital signature. Perhaps the
> technology is not yet in place but it _will_ be.

The parts in needed in Squid for using SSL certificates is available and
will be an integral part of Squid-3, but until the browser vendors see a
need for SSL to proxies the application of this is limited to where Squid
runs as an reverse-proxy / surrogate server.

> I think that the authentication process would be something like matching
> a public key's fingerprint to a set of "allowed" keys on a keyring
> located on the server. Or better yet, a public key "set" located on an
> ldap directory.

Sounds like you are looking for something like PGP certificate
authentication. To my knowledge there is not yet any standard for how such
authentication should be done within HTTP. However, writing such
authentication scheme specification is technically not a very hard thing
and should be possible to model on a design similar to that of HTTP
Digest authentication for nounce exchanges etc but using certificate
signing instead of HMAC as signing method.

SSL authentication works somewhat differently with it's hierarchical trust
model, mainly based on CA trust for providing the user id and
authorization based on the user id for providing permissions.

> Down the road, I believe that usernames, passwords, credit card numbers,
> contact information etc will be nonessential to authentication,
> authorization, e-commerce, etc. Current methods of storing these types
> of information on a server is a security risk, regardless of "how tight"
> the security methods in place on the server.

Ideally, but it is likely to take a while to get there. The
standardisation and acceptance how to manage such personal information on
the Internet neccesarily moves slower than most..

Today there is many competing projects aiming at providing "the solution"
to this familiy of problem, but I do not see it likely there will be a
good solution acceptable both to end-users and service providers any time
soon as the interests of these two groups are quite different. There is
very likely a rocky road ahead for some many years still before a good
generally acceptable solution is found (if at all possible in the modern
world.. there is way too much politics involved in this area..).

A general solution to this problem requires acceptance by all of
  - Major server vendors
  - Major browser vendors
  - Most major service providers
  - Most users
  - Patent owners having patents which may be required by such solution

Until such agreement can be met we have to live with a set sub-optimal
solutions layering ontop of existing infrastructure, and most likely
heavily biased towards one or two of the above groups or other specific
commercial interests.

Regards
Henrik
Received on Sun Dec 08 2002 - 11:20:10 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:55 MST