- From: John Franks <john@math.nwu.edu>
- Date: Mon, 26 Aug 1996 08:55:02 -0500 (CDT)
- To: Dave Kristol <dmk@allegra.att.com>
- Cc: koen@win.tue.nl, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Mon, 26 Aug 1996, Dave Kristol wrote: > koen@win.tue.nl (Koen Holtman) wrote: > > I feel that digest authentication is a `may support' feature, not a > > `must support' feature for HTTP/1.x applications. I feel that > > compliance with 1.1 must _not_ require support for digest > > authentication: support for various authentication methods has always > > been optional in HTTP. If support were required, this would greatly > > increase the requirements on a minimal 1.1 application, which is a bad > > thing. > > I would like to see it be mandatory. Here's why. > > 1) We would like Digest to supersede Basic. > > 2) As long as there's uncertainty that Digest is widely supported by > browsers, servers will of necessity ask for authentication by either. > (That's assuming they support Digest themselves.) > > 3) If servers can ask for both kinds of authentication, there's no > incentive for browser vendors to support Digest. So (I believe) they > won't. > > So here's a proposal: if an HTTP/1.1 agent (client or server) supports > Basic, it must also support Digest. Authentication support remains > optional, but it's all or none. > I strongly agree with Dave. I think his arguments are very sound. I would clarify one point, though. It should be possible to support Digest and not support Basic. But I like the requirement that if Basic is supported then Digest must be also. I think Koen's concerns about minimal implementations are met by the possibility of supporting neither. John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Monday, 26 August 1996 06:57:49 UTC