Re: 'Basic' Authentication...

Larry Masinter (masinter@parc.xerox.com)
Fri, 26 Jan 1996 14:34:21 PST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter J Churchyard: "Re: 'Basic' Authentication..."
Previous message: Roy T. Fielding: "Re: PostScript version of http-v11-spec-01?"
Next in thread: Peter J Churchyard: "Re: 'Basic' Authentication..."
Reply: Peter J Churchyard: "Re: 'Basic' Authentication..."
Reply: Peter J Churchyard: "Re: html, http, urls and internationalisation"

If you could suggest specific wording changes, e.g., for
draft-ietf-http-v10-spec-04.txt section 12.1:

> 12.1  Authentication of Clients

>   As mentioned in Section 11.1, the Basic authentication scheme is 
>   not a secure method of user authentication, nor does it prevent the 
>   Entity-Body from being transmitted in clear text across the 
>   physical network used as the carrier. HTTP/1.0 does not prevent 
>   additional authentication schemes and encryption mechanisms from 
>   being employed to increase security.

that would be very useful. I do think that this is an issue that needs
resolution before HTTP/1.0 goes out the door. Basic authentication
does not actually imply that plaintext passwords are being used; the
password can be one-time, e.g., with a securID.

For what it's worth, I'm not sure:

> 					HTTP/1.0 does not prevent 
>   additional authentication schemes and encryption mechanisms from 
>   being employed to increase security.

carries a lot of meaning to the uninitiated.

Next message: Peter J Churchyard: "Re: 'Basic' Authentication..."
Previous message: Roy T. Fielding: "Re: PostScript version of http-v11-spec-01?"
Next in thread: Peter J Churchyard: "Re: 'Basic' Authentication..."
Reply: Peter J Churchyard: "Re: 'Basic' Authentication..."
Reply: Peter J Churchyard: "Re: html, http, urls and internationalisation"