Steven Blanchard wrote: > Cons of HTTP Authentication ... > - The challenge/response design of HTTP authentication--sending a 401 > Authorization Required when accessing a secured URL--would leak > sensitive information. (can be mitigated) ... > - Basic authentication transmits the user name and password in the clear > for every request
I think there is an issue that would need to be checked with lawyers, at least for people who are UK-government sponsored and are proposing to implement authentication for the first time. Those affected will know that since the well-publicised leaks of private data by public organizations in the UK, research councils have [been made to] increased supervision of the data protection laws, with requirements for encryption of disks etc. It's my understanding (though I am not a lawyer :) that storing a username together with a password consitutes 'private data' and that any database or other mechanism used to store that information would therefore need to be registered with your organisation and be audited. I also understand that ignoring the requirement is a sacking offence, at least where I work. This seems like a very powerful incentive to avoid designing any system that requires local storage of passwords, especially since the content being served does not itself usually contain any 'private data' that needs protecting. So it seems to me that a better and ultimately simpler solution is one that offloads all personal passwords to dedicated servers designed for the purpose and implemented and supported by IT security teams. So I'd suggest checking the legal framework before making any technical decisions on authentication schemes. Cheers, Dave _______________________________________________ DAS mailing list [email protected] http://lists.open-bio.org/mailman/listinfo/das
