W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: 'Basic' Authentication...

From: Larry Masinter <masinter@parc.xerox.com>
Date: Fri, 19 Jan 1996 20:05:05 PST
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <96Jan19.200520pst.2733@golden.parc.xerox.com>
I've not heard anyone propose that we remove basic authentication.
Phill wrote in a message that 'it would be a logical consequence' of
my arguments to do so, but I don't believe that.

As for digest authentication:

Donald Eastlake said:

> If simple changes to digest can significantly improve it, then I guess
> they should be done, but of course that does not extent to trying to
> make it some some kind of bulletproof cryptographic authentication
> protocol repleat with certificates and who knows what else.

Phillip Hallam-Baker said:

> I propose that we accept the following proposals :-
> 1) Adding an algorithm parameter.
> 2) Describe in detail construction of nonces. 
>	Here there are a number of tricks already in use which ensure that
>	a nonce is only valid for requests comming from a single TCP/IP
>	address.

and that he was looking into Allan's other proposals.

Robert Denny said: leave Digest alone
Eric Sink said: We would appreciate it if you did not change Digest in
	a non-compatible fashion.
John Franks echoed Eric's remarks.

I had suggested that the Digest Authentication draft be more explicit
about the limitations of security using it, and didn't hear any
objections to that. In fact, it is a requirement that RFCs have a
'Security Considerations' section, and we won't get far without one.

I think to address these issues, we need a revised draft. Once we have
a revised draft, we can go to last call. It sounds like we want to
handle this as a separate draft which can be standards track, and
included by reference in the HTTP/1.1 standard as well as applied to
HTTP/1.0. 

Is that OK? 

There are 6 names on the draft; will one of you commit to revising the
draft along these lines in the very near future? It seems like getting
the security considerations section right will take a little work.
Received on Friday, 19 January 1996 20:09:00 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:43 EDT