[JDEV] Distributed Authentication - thoughts people?

[Adam Theo]

Michael Hearn wrote

> I think that authentication could well be one of the next important 
> stages in the development of the net. And I think Jabber can do it best. 
> So what do people think? Should I go ahead and submit a JEP for the 
> creation of the Authentication JIG?

hm... after some thouhgt, i now think that a new JIG should be set up, 
but we have to carefully think about what it would cover.

*authentication* is verifying who the user/server is. this is not only 
used with web services, as we are planning, but also the 
username/password/server combo to log into one's account in the first 
place. that is authentication, as is dialback for the servers, to make 
sure a received jabber message came from the server it says it did (if i 
understand dialback correctly). will this auth JIG cover those, as well, 
or just the web services aspect of authenticating the user and service 
to each other.

*authorization* is deciding what powers the verified user has. this is 
the access control/permissions stuff the profiles-jig recently finished, 
as well as admin jid read/write access. does the new jig cover this as 
well? if not, then what do we call this jig? 'auth' would be 
inappropriate, unless we plan to cover all aspects of authentication and 
authorization...

now, i would not be opposed to creating an auth jig to cover all types 
of verification and access control in jabber, but we need to be careful 
that is what we are really after.