Re: [Dav-linuxfs] Re: davfs, and http support

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'm aware that cookies are an HTTP extension, but so is WebDAV.  They
are simply extensions that increase the utility of HTTP itself.  While I
would agree with you that using cookies for authentication is not the
ideal mechanism, I wouldn't classify it as a hack.  It is dealing with
reality.  Developing a intra-institutional centralized authentication
mechanism makes users' and administrators' lives simpler.  It is more
secure than replicating authentication information/mechanisms across
each application or service, or having each application developer design
his or her own way of doing it.  As I'm sure that you can realize, this
would be a very bad, insecure approach.  So, as PKI is not really that
feasible yet to deploy on any given campus, we need to use cookies.  If
it makes you more comfortable, we can also use GET data.  But we do need
redirection support.  I am very pleased that you are concerned about
security, but I would ask you to consider what is actually more secure,
avoiding cookies and forcing people that use your software to implement
ugly authN hacks on the server side, or take some time, support cookies
well, and have a more elegant authN solution for the local network.  I
would be happy to hear your thoughts on how to solve this problem well. 
Internet2/MACE's web-iso project is quickly closing in on a standard. 
So if you know of how we can do things better and more securely (that
doesn't require anything other of the user than commodity software like
a browser), we would love to hear about it.  

Essentially, my goal is to be able to make the case for wide usage of
your software.  The tier 1 and 2 research institutions are the primary
participants in I2.  We help to guide the way for smaller schools that
have less money to spend on IT Architecture research.  My side project
right now is to make the case for converting to WebDAV for enterprise
filesharing.  Being able to use davFS as part of this scheme would be
rather useful.  If it is not in line with what your development goals
are, I can respect that, and solve the problem in another way or with
other software.  Hopefully you can see the potential of getting this
support in your software.  But if not, that's your perogative. ;-)

	--Ryan

On Wed, 2001-11-14 at 02:20, Joe Orton wrote:
> > On 10 Nov 2001, Ryan Muldoon wrote:
> > 
> > > I am rather interested in webDAV, and davfs looks like a really cool
> > > project.  I admit, I just discovered it about five minutes ago, but I
> > > have a quick question/request.  One of the big problems with most DAV
> > > clients right now is that they don't fully support HTTP.
> 
> Cookies are an HTTP *extension*, they are not a part of the HTTP
> specitication itself. Using cookies for authentication is a hack; there
> is no need for a DAV client to support cookies to be interoperable. (in
> fact since implementing cookie support badly in a client can lead to
> security problems, I would hope most DAV clients don't naively implement
> cookies "just in case").
> 
> Regards,
> 
> joe