[RTW] Criteria for what one can do in Javascript vs what one has to do inside the browser
Harald Alvestrand
harald at alvestrand.no
Thu Feb 17 23:36:34 CET 2011
On 02/17/2011 11:20 PM, Ted Hardie wrote:
> I'm thinking of the URLAUTH mechanism described by LEMONADE:
> http://tools.ietf.org/search/rfc4467
>
> That's a limited-use proof-of-possession model for authorization, with no
> authentication implied (just as anyone in possession of a pawn ticket
> can redeem the item out of pawn). STUN is a user-name and password
> model either long term or short term. The short-term method can use some
> out-of-band mechanism to assign time-limited username/passwords.
The reason I think of this as a proof-of-possession mechanism is that in
the use I'm most familiar with, both the username and password are
random strings generated at the time-of-use; they are carried in fields
named "username" and "password" in SDP / Jingle, but that doesn't mean
they are tied to an user in the traditional sense - that's what makes
them "short-term".
It would be nice if the STUN spec had called the fields something
different, but that's what you get from not wanting to reinvent
protocols all the time....
Harald
More information about the RTC-Web
mailing list