Re: 3 Proposals: session ID, business-card auth, customer auth

Daniel DuBois ([email protected])
Tue, 18 Jul 95 08:27:16 -0500


>******* II. The business-card authentication scheme
>
>I propose a new http authentication scheme; let's call it
>"business-card". Its purpose is to facilitate access control policies
>similar to "I'll show you my information if you'll leave your business
>card in the bowl."
>
>An HTTP server may respond to requests with a 403 response, and
>specify the business-card scheme in the challenge, along with a list
>of required, suggested, permitted, and refused fields.

What about the millions of installed browsers which don't have the business
card authentication scheme built in? Some browsers [Enhanced Mosaic plug]
might have plug-in security modules, but they're the exception. These
people won't be able to see your pages? Then you're cutting yourself off
from a huge audience of people who won't bother with a site that's hard to
get into. You may as well use basic authentication, then at the time of
registration you can get all the information about that user that you want.

Will you revoke the auth requirement if the browser doesn't have it? Then
you let un-trackable people in anyway. Might as well rely on the 'From:'
field, since it too is an optional field. In fact, if we are going to
design browsers that allow the user the *option* of following the business
card auth scheme, we might as well design browsers to allow the user the
*option* of sending out the 'From:' field, and, if a server really wanted
to, it could alter its output based on whether or not a From: field exists.

In other words, let's use what's already there.
-----
Dan DuBois, Software Animal [email protected]
(708) 505-1010 x532 http://www.spyglass.com/~ddubois/