[JDEV] Distributed Authentication - thoughts people?

Michael Hearn mhearn at mailandnews.net
Sun Sep 30 17:02:01 CDT 2001


Firstly, I'd like to make clear that I am well aware of the difference 
between authentication and authorization. The JIG says this:

The rise of the Microsoft Passport system has demonstrated that users 
want and need authentication services on the net. In brief, distributed 
authentication allows you to login to the network once, and from that 
point on be recognised by all sites that conform to the standard. This 
is known as Single Sign-In. Passport however suffers fundamental 
limitations - this document is not really the place to discuss them - 
and Jabber can do better.

Authorization is something different, as commented on below. The JIG 
would deal first with authentication, then moving on the authorization, 
to allow services to access aspects of the users account. Again, we 
would attempt to do this in a server transparent fashion, so that the 
users host doesn't necessarily have to be running a Jabber server - just 
any server that conforms to the protocol will do.

I thought about calling it the auth jig, but I'm not sure how good a 
name that is. I decided upon authentication as this would be the primary 
focus, moving on to authorization later. I'm fine with changing it 
though, if people want me to.
thanks -mike

Adam Theo wrote:

> Michael Hearn wrote
>> I think that authentication could well be one of the next important 
>> stages in the development of the net. And I think Jabber can do it 
>> best. So what do people think? Should I go ahead and submit a JEP for 
>> the creation of the Authentication JIG?
> hm... after some thouhgt, i now think that a new JIG should be set up, 
> but we have to carefully think about what it would cover.
> *authentication* is verifying who the user/server is. this is not only 
> used with web services, as we are planning, but also the 
> username/password/server combo to log into one's account in the first 
> place. that is authentication, as is dialback for the servers, to make 
> sure a received jabber message came from the server it says it did (if i 
> understand dialback correctly). will this auth JIG cover those, as well, 
> or just the web services aspect of authenticating the user and service 
> to each other.
> *authorization* is deciding what powers the verified user has. this is 
> the access control/permissions stuff the profiles-jig recently finished, 
> as well as admin jid read/write access. does the new jig cover this as 
> well? if not, then what do we call this jig? 'auth' would be 
> inappropriate, unless we plan to cover all aspects of authentication and 
> authorization...
> now, i would not be opposed to creating an auth jig to cover all types 
> of verification and access control in jabber, but we need to be careful 
> that is what we are really after.

Michael Hearn
mhearn at neuk.net
Jabber (jabber.org) tweedledee at jabber.org

More information about the JDev mailing list