W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Unidentified subject!

From: John Franks <john@math.nwu.edu>
Date: Wed, 17 Dec 1997 11:59:06 -0600 (CST)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.95.971217113534.6533B-100000@hopf.math.nwu.edu>

The digest authentication specification has been stable for quite some
time.  There are numerous implementations which interoperate.  Some
of them (e.g. Apache) are widely deployed.

The recent spate of posts have criticized it because 1) "it suffers
from featuritis", and 2) "with just a couple of additions it could
be really useful."

As Roy Fielding pointed out the primary failing is that it is not
implemented in MSIE and Netscape.  The only thing we can do to remedy
this is keep the specification on track.

The only reason this came up at this point was that because a hash
of the Date, L-M and Expires headers can be part of the response
there could be a problem for servers with no clock if a proxy added
a Date header.  There is a simple answer to this which is that
proxies should not be allowed to add or change Date, L-M or Expires
headers.  There are no known implementations which do so and no one
has suggested any reason it is necessary to do so.

In short there is nothing wrong with digest.  It works; there are
implementations; they interoperate.  We would like more implementations
and the way to get that is keep the specification on track.

John Franks
john@math.nwu.edu
Received on Wednesday, 17 December 1997 10:04:23 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:05 EDT