[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

auth keys, sigh

well, i WAS going to post withdrawing my support for auth keys.  the
primary utility of them in MCP 1 was, counterintuitively, to allow
_unauthenticated_ messages to be used.  but in the current spec, we
say that unauthenticated messages can't be.  so what's the point, i

however, i became a bit concerned about attacks from untrusted users
on non-MCP servers.  but then i remembered the problem the problem is
just as bad with untrusted servers.

hm.  i guess i'm withdrawing my support for auth keys after all.
however, i think if we remove them, we should strongly recommend in
the spec that implementers either (a) come up with some form of
authentication, or (b) attempt mcp negotiation only with known
servers, which i guess is itself a form of authentication.  by "known"
i pretty much mean "the user said this server was okay".  oh, or (c)
implement only mcp messages that have no security risks whatsoever.

i guess this is pretty obvious, but it seems to me that we should
stress more in the spec that security is a problem.  and, now that i
think about it, definitely eliminate auth keys, on the grounds that a
false sense of security is worse than no security at all.

--erik, confused