W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: 'Basic' Authentication...

From: Larry Masinter <masinter@parc.xerox.com>
Date: Fri, 26 Jan 1996 14:34:21 PST
To: pjc@trusted.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <96Jan26.143436pst.2733@golden.parc.xerox.com>
If you could suggest specific wording changes, e.g., for
draft-ietf-http-v10-spec-04.txt section 12.1:

> 12.1  Authentication of Clients

>   As mentioned in Section 11.1, the Basic authentication scheme is 
>   not a secure method of user authentication, nor does it prevent the 
>   Entity-Body from being transmitted in clear text across the 
>   physical network used as the carrier. HTTP/1.0 does not prevent 
>   additional authentication schemes and encryption mechanisms from 
>   being employed to increase security.

that would be very useful. I do think that this is an issue that needs
resolution before HTTP/1.0 goes out the door. Basic authentication
does not actually imply that plaintext passwords are being used; the
password can be one-time, e.g., with a securID.

For what it's worth, I'm not sure:

> 					HTTP/1.0 does not prevent 
>   additional authentication schemes and encryption mechanisms from 
>   being employed to increase security.

carries a lot of meaning to the uninitiated.
Received on Friday, 26 January 1996 14:37:15 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:43 EDT