[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Tjais-dev] Re: [DotGNU]Identity

From: David Nicol
Subject: [Tjais-dev] Re: [DotGNU]Identity
Date: Fri, 01 Mar 2002 15:40:51 -0600

Hans Zandbelt wrote:
> At 15:16 2/28/2002 -0600, David Nicol wrote:
> >I have an apprentice working on templatizing the HTML pages
> >involved in the six-stage handshake and writing identity client
> >code in Java as well as Perl -- for an authenticated identity service
> >as described at my web page .  Anyway, here's some ASCII - UML
> >describing how the handshake works:
> <snip>
> >Advice, dissent?
> Please have a look at which
> describes an identity system (IDsec, a DotGNU
> project proposal) that uses a similar handshake for
> identity establishment.
> Hans.

What I want to do, and which my AIS client will provide, and
which is not available directly from that web page (nor from

AIS's web page or

And I will gladly just concede this space to IDsec if you can
provide me with this piece :)

Is, have a program or module or run-time function which can
be included, with appropriate parameters concerning, such
things as behavior on negative response, in a Perl CGI program,
like so:

        require "";

and this is all the client program has to do to populate
a well-known or pointed-to variable with an authenticated

Obvious parameters include the name of the identity server
to authenticate against and a reference to a buffer to load
the identity into, extending the invocation to something like

        use dgAIS server => '' , buffer => \$USER_ID;

or, with a group of servers,

        use dgAIS serverlist => [qw{
                buffer => \$user::user_id;

Anyway, this would be embedded within another program that handles sessions
for users of the web service, so the identity service only needs to get
hit when a new session is created.

For instance, the calendar application I am working on does, for instance,
in part of it, something similar to:

        @user::required_privs = qw{ view post useredit };
        require "";

and is responsible for:

        loading the session record if one exists, otherwise

        creating a session record by requiring the identity module,
                which does the handshake, which involves
                issuing a Location: header and exiting and then
                handling the next step when we return, looking up
                the user in the local privelege database, loading
                the identity and the privs into a session record,
                serving a session cookie

        checking the session's privs and exiting with an
        insufficient priv error message if needed

That's the point of the AIS module, usability from the client-writing

Is there C or Perl code available that can be dropped into the
"Get Identity" part of the above sequence of events?  I will gladly
switch from a system of my own devisement to an equivalent one that
already has the blessing of the IETF if it is a drop-in replacement
providing the same functionality.

           David L Nicol, humble system administrator (816) 235 1187
              "... security through transparency." -- Margareta Wolf

reply via email to

[Prev in Thread] Current Thread [Next in Thread]