W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Regarding Authentication

From: Josh <josh@early.com>
Date: Thu, 13 Nov 1997 12:31:54 -0500 (EST)
Message-Id: <199711131731.MAA20020@orac.early.com>
To: Scott Lawrence <lawrence@agranat.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4662
According to Scott Lawrence,
>   I don't think that there is any interoperability reason why you
>   should not send unsolicited credentials (that is, I don't think that
>   it breaks the protocol itself to do so), but it makes no sense from
>   a security point of view:
>   - With Basic all you're doing is publishing your password to someone
>     who may not need it or have any reason to get it (which is what
>     you're doing every time you use Basic anyway...)
>   - With Digest you can't generate valid credentials without the nonce
>     from the challenge anyway.
I agree that you dont generally send unsolicited credentials, but
the context isnt necessarily clear.  If you are challenged for credentials
initially, but a long while later (potentially hours) in the same
browser session, you might send those same credentials again
in a later transaction.  One could argue that this
would be unsolicited, since its possible for those
credentials to be invalid at the later time.

Josh Cohen
Received on Thursday, 13 November 1997 09:33:21 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC