Somebody claiming to be Matthew Wild wrote:
On Mon, 10 Feb 2025 at 17:39, Stephen Paul Weber <[email protected]> wrote:>The authcid is how we convey the authenticating username.Yes I understand that's what currently is placed there. I'm proposing that for FAST we put a token id there, which will of course convey the account in question to the server as well (since a token is only valid for a single account).The server would need to know that FAST is being used in order to know it's not a username, but my understanding is that a reason for proposing this is to remove the explicit indication to the server that this is a FAST authentication. Right?
Your concern is namepace collision between username and a fast token id if the ids are also valid usernames?
I think since the IDs are fully under the control of the server this isn't a problem is practise is it? The server would not assign any credential (including FAST tokens) an id that is an existing username, and would not allow creation of an account with username that matches any existing credential id. Username is the credential ID for the "primary account password" as used today.
signature.asc
Description: PGP signature
_______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
