Hello,
I am applying for a CPAN author account, and here is my info:
* your name: John Pliam
* your email address: [EMAIL PROTECTED]
* your homepage: (for unknown duration) www.ima.umn.edu/~pliam
* your preferred user-ID: PLIAM
* a short description of what you're planning to contribute:
I am currently alpha-testing (Yet Another) Apache authentication
module. Unlike all existing modules on CPAN, I believe my module
would be:
- The only which securely handles the sharing of multiple
credentials across multiple hosts (even across DNS domains).
- The only one in which URL-mangled and HTTP cookie credentials
can coexist under a single framework governed by a single security
policy.
- The only one where an access control decision can easily be based on
both the current session strength and the original authentication
strength.
- Only one with built-in support for idle timeouts as well as
conventional expiration.
The HTTP cookie mechanism is fraught with bizarre traps and gotchas (see
~pliam/cky in my web site, e.g.). The IETF with its RFC2964 (a best
current practice) utterly *forbids* its use as an authentication mechanism.
My module essentially attempts to ameliorate the `best current practice' by
designing the Apache module as cryptographic protocol first.
I've looked at: Apache-AuthCookie-*, ApacheCookieEncrypted-*,
Apache-AuthTicket-*, Apache-AuthenURL-*. Some of these are quite
mature and I would use them in cert circumstances, but in other
circumstances I couldn't use or easily modify them to achieve
a desired level of security. So perhaps there is room for more ...
:-)
Best Regards,
John Pliam
[EMAIL PROTECTED]
