W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: digest vs basic

From: John Franks <john@math.nwu.edu>
Date: Wed, 28 Aug 1996 17:05:20 -0500 (CDT)
To: Peter J Churchyard <pjc@trusted.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960828165034.4160A-100000@hopf.math.nwu.edu>
On Wed, 28 Aug 1996, Peter J Churchyard wrote:

> As larry has pointed out, basic for client / server non persistant requests
> is a poor choice.
> 
> client - proxy  with persistant connection between client and proxy 
> when used with one time password systems ( as we do in our product) allows
> sites to authenticate strongly which of their users can do WEB stuff.
> 

This sounds interesting.  But I am not sure whether you 

   (1) Authenticate a client only once for a persistent connection,

or

   (2) Authenticate each transaction (reusing the password), but use
      a new password anytime there is a new connection.

Either would seem possible.  

If it is (1) then strictly speaking you are probably not HTTP
compliant since you are essentially making the Proxy-Authorization
header "sticky".  But I see no reason that your proxy shouldn't
interoperate with HTTP clients.

If it is (2) then you aren't strictly using one-time passwords, as the
same password is re-used for each transaction, but you should have
essentially all the benefits of one-time passwords.


John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu
Received on Wednesday, 28 August 1996 15:07:21 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT