[MERGE] Authentication Ring spec

Martin Pool mbp at sourcefrog.net
Fri Jul 27 21:58:54 BST 2007 

On 7/27/07, John Arbash Meinel <john at arbash-meinel.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Aaron Bentley wrote:
> > Aaron Bentley has voted resubmit.
> > Status is now: Resubmit
> > Comment:
> > You seem not to have noticed my mailing-list comments:
> >
> > Vincent Ladeuil wrote:
> >> +.. [#ignored_realm] The true purpose of realms is to allow the same
> > credentials
> >> +   to be reused for disjoint hierarchies. Ignoring them in this
> > specifications
> >> +   aims to simplify the user experience.
> >
> > I don't really see a simplification in ignoring realm.  I think it would
> > be a much better identifier than "path".
>
> I actually disagree with you here, and agree with Vincent's statement.
>
> There is no realm for "ftp", and for http it isn't obvious what realm would be.
> And while I'm sure it is possible to set it up. I think for *users* they know a
> URL, which makes path blatantly obvious. As long as "/foo" works for "/foo" and
> "/foo/bar" I think it covers 95+% of what we need.

I disagree with you and agree with Aaron. :-)

For ftp/ssh/sftp neither the realm nor path is needed.  I've never heard
of a system where you'd want different passwords based on the location.

For http, you sometimes have different credentials on the same host, but
these are meant to be distinguished by realm.  Otherwise it's hard to tell
over what scope of paths the credentials are meant to apply.

You might sometimes want to use different users on the same host, but
that's probably best handled by giving the user name in the url and
matching on that.

I'm not saying we need to do auto-remembering now, but we should make sure
it will work.

So if you opt to autoremember an http password, it should add a section
like this:

  [http://goo.net/ (Bazaar realm)]
  user = johndoe
  password = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  password_encoding = base64

The display of the realm is like what mozilla uses.

If you manually want a password to only apply to some paths you might
manually add

  [http://goo.net/private]
  user = johndoe
  password = s3kr3t

> [.netrc will be ignored]

I think this is just because it would be complex to have two possible
mechanisms to do the same thing?  Users might configure one and be
confused that it doesn't take effect.

Something else I was talking about with John (a bit off topic for this
spec):

For http, it's probably best to initially connect without giving
credentials and see if the server says "must authenticate".  Then we can
send back the username and password and continue using them for this
session.  I think this is the intended use of the protocol, and this tells
us the realm and the acceptable authentication mechanisms.  If a username
is given in the url we should probably authenticate unilaterally.

-- 
Martin

More information about the bazaar mailing list