W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: HTTP/1.1 + Digest

From: Fisher Mark <FisherM@is3.indy.tce.com>
Date: Tue, 27 Aug 96 13:09:00 PDT
To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <322357F6@MSMAIL.INDY.TCE.COM>

Phillip Hallam-Baker writes in <9608271501.AA01051@vesuvius.ai.mit.edu>:
>Dave Morris describes HTTP application 99.9% certain to be on single
>machine...
>
>
>I don't think that this is a convincing argument. The concern is
>to stop the password in the clear problem ASAP. There has been
>remarkably little progress on the part of the vendors here and
>a SHOULD is not going to improve progress

Undoubtedly, there will be a very small minority of applications where 
passwords in the clear are not a serious problem.  But this is such a small 
fraction of the HTTP applications as to be negligible.

In my experience, applications have long lives with tortuous paths from 
their start point to their end -- witness the 1401 Autocoder payroll system 
I knew of running 10 or so years after IBM discontinued making the 1401. 
 Dave, IMHO it is dangerous to assume that this application will forever and 
ever not be subject to someone, somewhere, wanting to break security on it 
 -- if not on its current platform, then on the next platform, or the 
next...  If the data is worth protecting, it is likely that the data 
security is worth cracking.

If an HTTP 1.1 server supports Basic, they MUST support Digest.  This is the 
only way to eventually eliminate passwords in the clear.
======================================================================
Mark Leighton Fisher                   Thomson Consumer Electronics
fisherm@indy.tce.com                   Indianapolis, IN
Received on Tuesday, 27 August 1996 11:20:18 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT