| The Web browser can probably send some kind of identification
string, however it is certainly easy to arrange to send
any string you like. So if the string is some kind of user name
(without password) then it would be easy to impersonate anyone.
Whether the Web server can be persuaded to look at the identification
string and convert it into some kind of x.500 name is doubtful, and
without a password it would not be secure anyway.
There are only 3 ways that I can see this working.
1) change the browser so that it can send some kind of configurable
identification which includes the password, and change the web
server to convert this identification into an x.500 name and
password.
2) Change the web server so that it can send a 'login' screen to
the user. Once the user has logged in the web server sends a cookie
back to the browser, which retains it indefinitely. The web server
can then use the contents of this cookie to generate the
authentication information for the directory access.
3) Implement single login in the network.
This is the only really satisfactory way to do things, but there is
no widely accepted standard for doing this. Unless it is available
in just about everything it wont fly. (Kerberos is a start,
but not the complete solution).
Andrew
|
| Ron Rivest (RSA, MIT) recommends the use of digital certicates as a means of
authenticating identity. Both Netscape Navigator and MS Internet Explorer
support certificates, and point you to the VeriSign(www.verisign.com) site to
get one. One of our partners, Entrust Technologies (www.entrust.com), has a
Web/CA product.
A digital certificate is the equivalent of a password/logon ID combination.
The user just has to install it in the browser, and it authenticates identity
to the web server in the background(if configured to do so).
[Posted by WWW Notes gateway]
|