[JDEV] Distributed Authentication - thoughts people?
adamtheo at theoretic.com
Sun Sep 30 14:13:14 CDT 2001
Michael Hearn wrote
> I think that authentication could well be one of the next important
> stages in the development of the net. And I think Jabber can do it best.
> So what do people think? Should I go ahead and submit a JEP for the
> creation of the Authentication JIG?
hm... after some thouhgt, i now think that a new JIG should be set up,
but we have to carefully think about what it would cover.
*authentication* is verifying who the user/server is. this is not only
used with web services, as we are planning, but also the
username/password/server combo to log into one's account in the first
place. that is authentication, as is dialback for the servers, to make
sure a received jabber message came from the server it says it did (if i
understand dialback correctly). will this auth JIG cover those, as well,
or just the web services aspect of authenticating the user and service
to each other.
*authorization* is deciding what powers the verified user has. this is
the access control/permissions stuff the profiles-jig recently finished,
as well as admin jid read/write access. does the new jig cover this as
well? if not, then what do we call this jig? 'auth' would be
inappropriate, unless we plan to cover all aspects of authentication and
now, i would not be opposed to creating an auth jig to cover all types
of verification and access control in jabber, but we need to be careful
that is what we are really after.
More information about the JDev