W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: [moore@cs.utk.edu: http digest auth + http 1.1?]

From: Dave Kristol <dmk@allegra.att.com>
Date: Mon, 26 Aug 96 09:45:45 EDT
Message-Id: <9608261345.AA13306@aleatory>
To: koen@win.tue.nl
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
koen@win.tue.nl (Koen Holtman) wrote:
  > I feel that digest authentication is a `may support' feature, not a
  > `must support' feature for HTTP/1.x applications.  I feel that
  > compliance with 1.1 must _not_ require support for digest
  > authentication: support for various authentication methods has always
  > been optional in HTTP.  If support were required, this would greatly
  > increase the requirements on a minimal 1.1 application, which is a bad
  > thing.

I would like to see it be mandatory.  Here's why.

1) We would like Digest to supersede Basic.

2) As long as there's uncertainty that Digest is widely supported by
browsers, servers will of necessity ask for authentication by either.
(That's assuming they support Digest themselves.)

3) If servers can ask for both kinds of authentication, there's no
incentive for browser vendors to support Digest.  So (I believe) they
won't.

So here's a proposal:  if an HTTP/1.1 agent (client or server) supports
Basic, it must also support Digest.  Authentication support remains
optional, but it's all or none.

Dave Kristol
Received on Monday, 26 August 1996 06:49:36 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT