W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Regarding Authentication

From: Scott Lawrence <lawrence@agranat.com>
Date: Thu, 13 Nov 1997 09:23:08 -0500
Message-Id: <199711131423.JAA07914@devnix.agranat.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>>>>> "SR" == Sambasiva Rao <sams@wipinfo.soft.net> writes:

SR> Few issues related to Authentication  are as following :

1> In the authentication credentials field defined as following

SR> 	credentials  = basic-credentials
SR> 			|auth-scheme #auth-param
SR> 	in RFC2068.

SR> a> Does this mean the server must produce parse error if the client
SR> sends two or more scheme credentials ?( this problem doesn't exist in
SR> HTTP1.0 as it support only one scheme)

  I think that there is no reason to allow for multiple sets of
  credentials; it doesn't really add any usefull feature I can think
  of, and introduces a number of other possible errors (what if one
  set is ok and another is not?).

SR> 2> If the only one scheme is allowed and if the agent wants to
SR> send a request with the authentication scheme credentials before
SR> the challenge (unauthorised response)then it really doesn't have
SR> much flexibility.  A sort of agent side negotiation for the
SR> authentication schemes.

  I don't think that there is any interoperability reason why you
  should not send unsolicited credentials (that is, I don't think that
  it breaks the protocol itself to do so), but it makes no sense from
  a security point of view:

  - With Basic all you're doing is publishing your password to someone
    who may not need it or have any reason to get it (which is what
    you're doing every time you use Basic anyway...)

  - With Digest you can't generate valid credentials without the nonce
    from the challenge anyway.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Thursday, 13 November 1997 06:37:59 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:02 EDT