Maybe It's Snake Oil All the Way Down

Anne & Lynn Wheeler lynn at garlic.com
Tue Jun 3 22:49:48 EDT 2003


some generic reasons for hooking radius (or one of the AAA technologies) 
into your webserver for authentication are:

1) supports a variety of authentication mechanisms on an account by account 
basis. day one, none of the users actually need to see any difference 
(single administrative interface supporting all the client authentication 
options that might be in use). existing userid/password, challenge/response 
and in the referenced asuretee url, ecdsa digital signature.

2) single administrative interface for both client authentication options 
as well as all of their authorization and privilege options.

3) client database is accessable in real-time by the webserver, real-time 
updates can occur to both authentication information as well 
as  authorization, permission and privilege information using single 
consistent administrative operation

4) there is no disconnect between client administration and static, stale, 
redundant and superfluous certificates that are a subset of a r/o 
administrative database entry. (RADIUS) Updates can take place in real time 
and immediately reflected. The certificate story (as mentioned previously, 
created for offline, disconnected environment) basically would do something 
like a) invalidate the old certificate, b) issue new CRLs, c) possibly 
update a OCSP LDAP, d) update the master database permissions entry for 
that client, e) generate a certificate that represents a subset of the 
master information, f) distribute it to the client and f) then have the 
client install the new certificate. This of course becomes unnecessary if 
the certificate doesn't actually contain any information and the webserver 
accesses the authorization and permissions from an online database. 
However, as has repeatedly been pointed out before, if the certificate 
doesn't contain any information and the webserver is accessing an online 
database for authorizations and permissions ... then the webserver can 
access the online database for the authentication material also. The 
certificate then is static, stale, redundant and superfluous and you are 
back to a single online, real-time comprehensive administrative facility 
(like radius) that supports client/account specifics for authentication, 
authorization, permissions, accounting, privileges, etc.




--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
  


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list