'Basic' Authentication...
Kris Benson (doctorkb@synaptic.net)
Fri, 19 Jan 1996 19:10:50 -0801 (PST)
There has been some discussion on the possibility of omitting the 'Basic'
Authentication scheme in the newest version of the spec. Here are my
thoughts:
1) While the 'Basic' scheme *is* insecure, it is already considered a
*standard*. Almost all browsers support it and it allows webmasters and
developers alike to put some sort of 'protection' on their pages, albeit
limited, however existant. If we obliterate this from the spec, then we
end up with something like Netscape's SSL. Proprietary, and
not-widely-supported. This is not necessarily A Good Thing (as it has
been for Netscape) simply because we are attempting to build a platform
which will be client independant, regardless of the platform or client.
2) If it is removed, it should either be replaced or transfered to
another ID or RFC for it or another backwardly compatable authentication
method for the HTTP protocol. Perhaps something to the effect of the
server sending the salt, the client encrypting it's password, and sending
it back for authentication.
3) In short, web developers depend on this part of the standard as much
as any other part, and it must remain part of a standard or at least
included for backwards compatability.
--
Kris "The Doctor" Benson <kris@hackers-unlimited.com>
President, Hackers Unlimited
Personal HomePage: http://www.hackers-unlimited.com/doctorkb/
Hackers Unlimited: http://www.hackers-unlimited.com/
JAPH, HTMLer, Webmaster, UNIX guy for hire...