On Mon, 26 Aug 1996, John Franks wrote: > I strongly agree with Dave. I think his arguments are very sound. > I would clarify one point, though. It should be possible to support > Digest and not support Basic. But I like the requirement that > if Basic is supported then Digest must be also. I think Koen's > concerns about minimal implementations are met by the possibility of > supporting neither. I disagree weakly ... SHOULD is strong enough ... I have an HTTP application which at the 99.9% level will be deployed in a single machine. A password in the clear would not be exposed outside of the machine. Of the remaining .1%, the bulk will be on an intranet LAN where exposure is not a large risk. On that basis, we use basic authentication to restrict access from users outside the single machine. Hence, I believe it a reasonable design point to support BASIC w/o DIGEST. SHOULD support DIGEST provides an opportunity for carefully reasoned escape where other features are probably worth more of the implementation effort. Dave MorrisReceived on Tuesday, 27 August 1996 01:36:31 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT