W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

'Basic' Authentication...

From: Kris Benson <doctorkb@synaptic.net>
Date: Fri, 19 Jan 1996 19:10:50 -0801 (PST)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.BSD.3.91.960119185926.996C-100000@vortex.netbistro.com>
There has been some discussion on the possibility of omitting the 'Basic'
Authentication scheme in the newest version of the spec.  Here are my
thoughts: 

1) While the 'Basic' scheme *is* insecure, it is already considered a 
*standard*.  Almost all browsers support it and it allows webmasters and 
developers alike to put some sort of 'protection' on their pages, albeit 
limited, however existant.  If we obliterate this from the spec, then we 
end up with something like Netscape's SSL.  Proprietary, and 
not-widely-supported.  This is not necessarily A Good Thing (as it has 
been for Netscape) simply because we are attempting to build a platform 
which will be client independant, regardless of the platform or client.

2) If it is removed, it should either be replaced or transfered to 
another ID or RFC for it or another backwardly compatable authentication 
method for the HTTP protocol.  Perhaps something to the effect of the 
server sending the salt, the client encrypting it's password, and sending 
it back for authentication.

3) In short, web developers depend on this part of the standard as much 
as any other part, and it must remain part of a standard or at least 
included for backwards compatability.

--
Kris "The Doctor" Benson <kris@hackers-unlimited.com>
President, Hackers Unlimited
Personal HomePage: http://www.hackers-unlimited.com/doctorkb/
Hackers Unlimited: http://www.hackers-unlimited.com/
JAPH, HTMLer, Webmaster, UNIX guy for hire...
Received on Friday, 19 January 1996 19:12:54 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:43 EDT