Re: [squid-users] authentication via cookies

From: Waitman C. Gobble, II <waitman@dont-contact.us>
Date: 08 Dec 2002 13:27:09 -0800

On Sun, 2002-12-08 at 10:20, Henrik Nordstrom wrote:

Sorry if this is all OT, however I think a key based authentication
method with squid could be useful. Some decisions remain.

> Sounds like you are looking for something like PGP certificate
> authentication. To my knowledge there is not yet any standard for how such
> authentication should be done within HTTP. However, writing such
> authentication scheme specification is technically not a very hard thing
> and should be possible to model on a design similar to that of HTTP
> Digest authentication for nounce exchanges etc but using certificate
> signing instead of HMAC as signing method.
>

I believe that the ideas are similar. In the SSL model, the traffic is
encrypted using asymmetric keys (essentially). The CA plays a part in
validating the authenticity of the key. In the PGP model, the exchange
is similar however there really isn't a CA.

The HTTP stream need not be encrypted necessarily (SSL:443) for
authentication on the proxy.

I suppose one issue is "if" we need to depend on an authority to trust
the signature.

If you go to Genny's for brunch, and initiate a payment request over
your cell phone, signed by your key, I am not sure that the third party
CA is really that important. Also, if the process were reversed and the
vendor initiated the invoice request, which was signed by you as
authorization for payment of the transaction, the CA would become
irrelevant. The payment system must recognize and distinguish the
fingerprint of the digital signature, and the transaction must be
dependent upon _both_ parties. The trust issue primarily remains between
the payer and the payee.

> > Down the road, I believe that usernames, passwords, credit card numbers,
> > contact information etc will be nonessential to authentication,
> > authorization, e-commerce, etc. Current methods of storing these types
> > of information on a server is a security risk, regardless of "how tight"
> > the security methods in place on the server.
>
> Ideally, but it is likely to take a while to get there. The
> standardisation and acceptance how to manage such personal information on
> the Internet neccesarily moves slower than most..

The new system will need to operate along with traditional methods,
otherwise implementation would be extremely difficult. Also, it needs to
support multiple key techniques, so one could have a choice of GPG, PGP,
etc.

> Today there is many competing projects aiming at providing "the solution"
> to this familiy of problem, but I do not see it likely there will be a
> good solution acceptable both to end-users and service providers any time
> soon as the interests of these two groups are quite different. There is
> very likely a rocky road ahead for some many years still before a good
> generally acceptable solution is found (if at all possible in the modern
> world.. there is way too much politics involved in this area..).
>
> A general solution to this problem requires acceptance by all of
> - Major server vendors
> - Major browser vendors
> - Most major service providers
> - Most users
> - Patent owners having patents which may be required by such solution
>
> Until such agreement can be met we have to live with a set sub-optimal
> solutions layering ontop of existing infrastructure, and most likely
> heavily biased towards one or two of the above groups or other specific
> commercial interests.

I believe that the use of public RFC's, open source software, and a set
of carefully considered existing open source projects could set a
standard, agreed method. Perhaps the way we have come to know and use
DNS and HTTP came about in a similar method. If companies invest in
commercial implementations, the more the merrier.

I would like to figure out the details and get squid to work with the
authentication method, both as an initial experiment and as a model.

I am looking at the way GPG/PGP has been integrated with existing
products, but I see some milestones that need to be reached.

I can also see that this authentication method would work well with mail
services. It could definitely put a new twist on spam.

Take care,

-- 
Waitman Gobble         EMK Design     Buena Park, California
http://emkdesign.com   +1.7145222528   waitman@emkdesign.com
Public Key                          http://pgp.emkdesign.com
Find an example                    http://freakinexample.com

Received on Sun Dec 08 2002 - 14:27:09 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:55 MST