[Auth]A simple serverside authentication scheme

dotgnu-auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Auth]A simple serverside authentication scheme

From:	Nick Lothian
Subject:	[Auth]A simple serverside authentication scheme
Date:	Mon, 16 Jul 2001 10:29:12 +0930

Many people here doubt it is possible to come up with a serverside
authentication scheme that is easier to implement than a browser-plugin.
Here's my attempt (after 5 minutes thought):

A webmaster wants to protect a particular page on their website, but they
have no programming skills and no access to server side scripting languages.

They go to a Auth.GNU website, enter the url of the page they want to
protect, and a page the user goes to if they are not authorised. That
returns a unique identifier.

The user returns to their HTML page, and whips up a simple username/password
form that posts that info to the Auth.GNU site, along with the unique
identifier. 

If the user is correctly identified, then they are redirected to the correct
page. If not, they are sent to the error page.

Advantages: 
1) It is simple, and it will work. Much of the porn industry is based on
similar authentication schemes (Remember the Comunications Decency Act or
whatever it was called? Sites like AdultCheck (www.adultcheck.com) grew out
of the need to authenticate people anonymously to websites, and yet verify
they had a valid credit card. Now they provide income to website owners)

2) J. Random Website never gets to see the users name or password.

3) It uses current, well understood technologies (HTML posts)

4) The basic architecture can be easily extented by adding SOAP and XML-RPC
interfaces to the server.

Disadvantages:
1) Decentralisation is difficult (isn't it always?). There are ways around
this - the user could optionally enter information about the server they
want to be authenticated against, but then the site would need to choose if
they trust that site or not.

2) A site could pretend to be authenticating against Auth.GNU, and then post
to a different URL to steal identities. This problem is common to most
authentication schemes, though.

3) It doesn't deal with issues like the website needing information on the
user.

Obviously, there are issues - particully the decentralisation aspects - but
it is a system that would work and could be implemented very quickly.



Regards
  Nick Lothian

[Prev in Thread]

Current Thread

[Next in Thread]

[Auth]A simple serverside authentication scheme, Nick Lothian <=
- Re: [Auth]A simple serverside authentication scheme, Norbert Bollow, 2001/07/16
  - Re: [Auth]A simple serverside authentication scheme, Adam Theo, 2001/07/17
    - Re: [Auth]A simple serverside authentication scheme, Norbert Bollow, 2001/07/17
- RE: [Auth]A simple serverside authentication scheme, Nick Lothian, 2001/07/16
  - Re: [Auth]A simple serverside authentication scheme, Norbert Bollow, 2001/07/17
    - Re: [Auth]A simple serverside authentication scheme, Adam Theo, 2001/07/17
    - Re: [Auth]A simple serverside authentication scheme, Myrddian, 2001/07/17

Prev by Date: Re: [Auth]Project discussion
Next by Date: [Auth]Server vs Clent side
Previous by thread: [Auth]USB key fob?
Next by thread: Re: [Auth]A simple serverside authentication scheme
Index(es):
- Date
- Thread