Re: [Auth]The simplest thing that can possibly work

[Norbert Sendetzky]

On Sunday 15 July 2001 20:35, you wrote:

Ron, you are damn right!
We have to keep it small and simple, but what we must not do (never!) is to 
create a protocol that we have to break, if we want to extend it.

On the implementation side I think we can do this (like you mentioned) with 
normal data tranfers and HTTP posts. But we must define a protocol how user 
data is requested because this doesn't exist until now. If websites require 
user name and password, they do it by displaying a form (somewhere in the 
html code) which is different on each site. You can not detect what 
information the form is awaiting. We definitly need something (a protocol) 
that let us know, what we have to do.

I think about a few requirements to archive this simplicity:
1.) We can expect that a server-side language is available on the web server, 
because if not, they are not able to process the information today
2.) Our protocol should be in text format, because this is easy to parse
3.) Maybe we can use XML; parsers are available in most server-side languages


A possible example:

Request from a website:
<dotgnu action="request" origin="www.dotgnu.org">
   <auth>
      <item>name</item>
      <item>password</item>
   </auth>
</dotgnu>

Reply from the client after the user has accepted the transmission (this time 
or in the past):
<dotgnu action="reply">
   <auth>
      <name>me</name>
      <password>verysecret</password>
   </auth>
</dotgnu>


It is simple and could be easily extended, e.g. by CC information or a 
certificate or ...

Other opinions?


Norbert