W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Where should Digest go next?

From: Larry Masinter <masinter@parc.xerox.com>
Date: Wed, 3 Jan 1996 18:26:06 PST
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <96Jan3.182618pst.2733@golden.parc.xerox.com>
I'm just trying to figure out how to deal with 'Digest Authentication'
in the face of claims that the mechanism has well known holes and
limitations. Here are the procedural options, as far as I can see
them:

1- Submit as Proposed standard as part of HTTP/1.1
2- Submit as Proposed standard as a separate document
3- Submit as Informational, as part of HTTP/1.0
4- Submit as Informational, as a separate document
5- Don't handle as part of IETF

The problem with options 1 and 2 is whether such Proposed Standards
would have a chance of actually making it to Standard without change.
I don't think this will work out: the standards track really does
require us to propose solutions that don't have major holes, and if
we're not interested in fixing the known problems, trying to move
along standards track is inappropriate.

The problem with option 3 is that it would delay the (already late)
HTTP/1.0 spec.

So, I'm leaning toward option 4 or 5. With option 4, it is likely that
if you submit it in the current form, the IESG would either add or
require the authors to add appropriate disclaimers as to how Digest
Authentication might not add significant additional security above and
beyond Basic Authentication.

Is this agreeable? I'd like to get the 'Digest Authentication' item
out of its currently stalled status, and move forward on this one way
or another.
Received on Wednesday, 3 January 1996 18:29:44 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:42 EDT