- From: Scott Lawrence <lawrence@agranat.com>
- Date: Thu, 13 Nov 1997 09:23:08 -0500
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>>>>> "SR" == Sambasiva Rao <sams@wipinfo.soft.net> writes:
SR> Few issues related to Authentication are as following :
1> In the authentication credentials field defined as following
SR> credentials = basic-credentials
SR> |auth-scheme #auth-param
SR> in RFC2068.
SR> a> Does this mean the server must produce parse error if the client
SR> sends two or more scheme credentials ?( this problem doesn't exist in
SR> HTTP1.0 as it support only one scheme)
I think that there is no reason to allow for multiple sets of
credentials; it doesn't really add any usefull feature I can think
of, and introduces a number of other possible errors (what if one
set is ok and another is not?).
SR> 2> If the only one scheme is allowed and if the agent wants to
SR> send a request with the authentication scheme credentials before
SR> the challenge (unauthorised response)then it really doesn't have
SR> much flexibility. A sort of agent side negotiation for the
SR> authentication schemes.
I don't think that there is any interoperability reason why you
should not send unsolicited credentials (that is, I don't think that
it breaks the protocol itself to do so), but it makes no sense from
a security point of view:
- With Basic all you're doing is publishing your password to someone
who may not need it or have any reason to get it (which is what
you're doing every time you use Basic anyway...)
- With Digest you can't generate valid credentials without the nonce
from the challenge anyway.
--
Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com>
Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Thursday, 13 November 1997 06:37:59 UTC