W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: HTTP/1.1 + Digest

From: David W. Morris <dwm@shell.portal.com>
Date: Tue, 27 Aug 1996 01:31:34 -0700 (PDT)
To: http working group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <Pine.SUN.3.93.960827012305.29002D-100000@jobe.shell.portal.com>


On Mon, 26 Aug 1996, John Franks wrote:

> I strongly agree with Dave.  I think his arguments are very sound.
> I would clarify one point, though.  It should be possible to support
> Digest and not support Basic.   But I like the requirement that
> if Basic is supported then Digest must be also.  I think Koen's 
> concerns about minimal implementations are met by the possibility of 
> supporting neither.

I disagree weakly ... SHOULD is strong enough ... I have an
HTTP application
which at the 99.9% level will be deployed in a single machine. A password
in the clear would not be exposed outside of the machine. Of the remaining
.1%, the bulk will be on an intranet LAN where exposure is not a large
risk. On that basis, we use basic authentication to restrict access
from users outside the single machine. Hence, I believe it a reasonable
design point to support BASIC w/o DIGEST. SHOULD support DIGEST provides
an opportunity for carefully reasoned escape where other features are
probably worth more of the implementation effort. 

Dave Morris
Received on Tuesday, 27 August 1996 01:36:31 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT