Re: HTTP/1.1 + Digest

David W. Morris (dwm@shell.portal.com)
Tue, 27 Aug 1996 01:31:34 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: hallam@vesuvius.ai.mit.edu: "Re: HTTP/1.1 + Digest"
Previous message: hallam@vesuvius.ai.mit.edu: "Re: [moore@cs.utk.edu: http digest auth + http 1.1?]"
In reply to: John Franks: "HTTP/1.1 + Digest"
Next in thread: hallam@vesuvius.ai.mit.edu: "Re: HTTP/1.1 + Digest"
Reply: hallam@vesuvius.ai.mit.edu: "Re: HTTP/1.1 + Digest"
Reply: Larry Masinter: "Re: HTTP/1.1 + Digest"

On Mon, 26 Aug 1996, John Franks wrote:

> I strongly agree with Dave.  I think his arguments are very sound.
> I would clarify one point, though.  It should be possible to support
> Digest and not support Basic.   But I like the requirement that
> if Basic is supported then Digest must be also.  I think Koen's 
> concerns about minimal implementations are met by the possibility of 
> supporting neither.

I disagree weakly ... SHOULD is strong enough ... I have an
HTTP application
which at the 99.9% level will be deployed in a single machine. A password
in the clear would not be exposed outside of the machine. Of the remaining
.1%, the bulk will be on an intranet LAN where exposure is not a large
risk. On that basis, we use basic authentication to restrict access
from users outside the single machine. Hence, I believe it a reasonable
design point to support BASIC w/o DIGEST. SHOULD support DIGEST provides
an opportunity for carefully reasoned escape where other features are
probably worth more of the implementation effort. 

Dave Morris

Next message: hallam@vesuvius.ai.mit.edu: "Re: HTTP/1.1 + Digest"
Previous message: hallam@vesuvius.ai.mit.edu: "Re: [moore@cs.utk.edu: http digest auth + http 1.1?]"
In reply to: John Franks: "HTTP/1.1 + Digest"
Next in thread: hallam@vesuvius.ai.mit.edu: "Re: HTTP/1.1 + Digest"
Reply: hallam@vesuvius.ai.mit.edu: "Re: HTTP/1.1 + Digest"
Reply: Larry Masinter: "Re: HTTP/1.1 + Digest"