W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Digest mess

From: Roy T. Fielding <fielding@kiwi.ics.uci.edu>
Date: Tue, 16 Dec 1997 00:40:30 -0800
To: Larry Masinter <masinter@parc.xerox.com>
Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <9712160041.aa29610@paris.ics.uci.edu>
>> The current definition seems to have lost
>> all of the advantages it had over transport-level encryption,
>
>Except that it doesn't require encryption.

Sorry, I meant transport-level security (TLS).

>This is critically important. Don't go off half-cocked.

I agree it is critically important.  It was critically important 
three years ago.  That doesn't change the fact that it is dead.
We keep fiddling with a dead mechanism as if adding one more feature
will suddenly create the installed base necessary for its deployment.
We can't deploy the thing because it is too complicated to require
of all HTTP clients, and yet there is no negotiation framework for
the client to signal its ability to handle the mechanism other than
the HTTP-version.

We (or somebody) should be working on a way to do this kind of thing
in a clean manner, without reliance on aspects of HTTP over which the
authentication process has no control, and in a manner that is separate
from the very orthogonal concept of digest authentication.  The stupid
thing is that we could have required Digest two years ago if it hadn't
picked up all this other cruft.

And the first person who says "You can do that in PEP" had better
be prepared to prove it (in some future WG to be named later).

....Roy  [feeling particularly grumpy this morning, sorry]
Received on Tuesday, 16 December 1997 00:47:42 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:05 EDT