W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Regarding Authentication

From: Josh <josh@early.com>
Date: Thu, 13 Nov 1997 12:31:54 -0500 (EST)
Message-Id: <199711131731.MAA20020@orac.early.com>
To: Scott Lawrence <lawrence@agranat.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
According to Scott Lawrence,
> 
>   I don't think that there is any interoperability reason why you
>   should not send unsolicited credentials (that is, I don't think that
>   it breaks the protocol itself to do so), but it makes no sense from
>   a security point of view:
> 
>   - With Basic all you're doing is publishing your password to someone
>     who may not need it or have any reason to get it (which is what
>     you're doing every time you use Basic anyway...)
> 
>   - With Digest you can't generate valid credentials without the nonce
>     from the challenge anyway.
> 
I agree that you dont generally send unsolicited credentials, but
the context isnt necessarily clear.  If you are challenged for credentials
initially, but a long while later (potentially hours) in the same
browser session, you might send those same credentials again
in a later transaction.  One could argue that this
would be unsolicited, since its possible for those
credentials to be invalid at the later time.

-- 
---
Josh Cohen
josh@early.com
Received on Thursday, 13 November 1997 09:33:21 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:02 EDT