On Sat, 29 Dec 2001 kpneal@pobox.com wrote:

> Say, I have a question.
>
> How terrible would it be to move authentication out of "all" programs and
> into an "authentication program"? There could be an API of sorts to
> communicate between the application and the authenticator.
>
> To add new or different forms of authentication would therefore not
> require dynamic linking, it would just require starting up a different
> authenticator program. This authenticator could be a single process
> running all the time or it could be a process that sends back a "yes"
> or "no" (along with other data, as needed -- Kerberos tickets, for example).

Because you then have to spread the data receiving code over all of the
programs. While it would probably be smaller than the authenticator code
itself, we still are faced with the same fundamental problem. If you want
to add a new authentication scheme that needs to receive different data,
you have to change every program. While the code footprint would be
smaller, the problem is still the same. :-(

Take care,

Bill