[DAS] HTTP Authentication Plug

[Dave Howorth]

Steven Blanchard wrote:
> Cons of HTTP Authentication 
...
> - The challenge/response design of HTTP authentication--sending a 401
>   Authorization Required when accessing a secured URL--would leak
>   sensitive information. (can be mitigated)
...
> - Basic authentication transmits the user name and password in the clear
>   for every request

I think there is an issue that would need to be checked with lawyers, at
least for people who are UK-government sponsored and are proposing to
implement authentication for the first time.

Those affected will know that since the well-publicised leaks of private
data by public organizations in the UK, research councils have [been
made to] increased supervision of the data protection laws, with
requirements for encryption of disks etc.

It's my understanding (though I am not a lawyer :) that storing a
username together with a password consitutes 'private data' and that any
database or other mechanism used to store that information would
therefore need to be registered with your organisation and be audited. I
also understand that ignoring the requirement is a sacking offence, at
least where I work.

This seems like a very powerful incentive to avoid designing any system
that requires local storage of passwords, especially since the content
being served does not itself usually contain any 'private data' that
needs protecting. So it seems to me that a better and ultimately simpler
solution is one that offloads all personal passwords to dedicated
servers designed for the purpose and implemented and supported by IT
security teams.

So I'd suggest checking the legal framework before making any technical
decisions on authentication schemes.

Cheers, Dave