[Top] [All Lists]

Re: New Authenticated: header?

2005-03-10 13:16:54

On Thu March 10 2005 13:25, David MacQuigg wrote:

The key concept here is that these forgeries will be only in headers 
*below* the authenticated header of the trusted forwarder.


Repeat until it sinks in:

"Header fields are NOT required to occur in any particular order"
[STD 11]

2. There has still been no concrete definition of precisely
   who or what is supposedly being authenticated, by whom,
   according to what criteria, or for what purpose.

These are implementation details

No, they are fundamentals.

First things first: first come up with a detailed definition for
the supposed "authentication", addressing the issues above.

Then, if and only if there is some reasonable purpose, there
might be some point in discussing how to pass information from
point to point.

Fundamental requirements first, then details of specific proposed 

That's what I said.  So first state what it is that you intend
to authenticate, vs. what other information, who you propose
should perform the authentication and how, why, and what you
think it will accomplish.

There are few too many half-baked ideas that begin with "let's
use a header [field] to do ..."; this one looks like it's
completely unbaked.