W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Digest mess

From: Vinod Valloppillil <vinodv@microsoft.com>
Date: Mon, 5 Jan 1998 09:21:16 -0800
Message-Id: <5CEA8663F24DD111A96100805FFE658701FDE504@red-msg-51.dns.microsoft.com>
To: Yaron Goland <yarong@microsoft.com>, 'Scott Lawrence' <lawrence@agranat.com>, "John C. Mallery" <jcma@ai.mit.edu>, "Roy T. Fielding (E-mail)" <fielding@ics.uci.edu>, "Larry Masinter (E-mail)" <masinter@parc.xerox.com>
Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, Paul Leach <paulle@microsoft.com>, Alex Hopmann <alexhop@microsoft.com>, "Henry Sanders (Exchange)" <henrysa@exchange.microsoft.com>, "Jim Whitehead (E-mail)" <ejw@ics.uci.edu>
also --  digest is a lot easier to implement admin-wise than the other
currently available solution -- SSL

(SSL requires buying certs, reapplying for a cert after x years, etc.  ---
this is definitely NOT an out-of-the-box solution for things like secure web
admin for a backoffice server app)

> -----Original Message-----
> From:	Yaron Goland 
> Sent:	Tuesday, December 30, 1997 12:31 AM
> To:	'Scott Lawrence'; John C. Mallery; Roy T. Fielding (E-mail); Larry
> Masinter (E-mail)
> Cc:	HTTP Working Group; Paul Leach; Alex Hopmann; Henry Sanders
> (Exchange); Jim Whitehead (E-mail)
> Subject:	RE: Digest mess
> 
> Actually, an old timer (you know who you are =) insists we did Digest in
> IE
> 2.0. However, I am informed that it was not in 3.0 or higher. I am
> considering recommending it for 5.0 or 6.0.
> 
> The reasons I like Digest are:
> 
> A) Digest is "good enough" for a lot of my scenarios. My users don't have
> public keys and aren't likely to have them for a very long time. However
> they do have passwords, lots of passwords, and Digest is a hell of a lot
> better than Basic.
> 
> B) I can export the damn thing.
> 
> C) I can actually perform proxy/firewall controls
> 
> D) I can mux multiple authenticated requests with different users and
> passwords request/responses over a single connection (is there even a way
> to
> "re-authenticate" TLS with a different key or do you always have to break
> the connection?)
> 
> The main thing I hate about Digest is:
> 
> A) Can't digest arbitrary headers.
> 
> This is a big deal for groups like WebDAV where new headers are being
> introduced which contain critical command information. For example the
> depth
> header specifies if a command applies to a single resource or a collection
> of resources. The destination header specifies the destination of a move
> or
> copy. Changing these headers would have a profound effect on the meaning
> of
> the method.
> 
> Unfortunately this single complaint seems to be a show stopper for a group
> like WebDAV. Someone please demonstrate to me I'm wrong. You will have
> made
> my life much better.
> 
> If this problem can be solved the WebDAV group would even be willing to
> specify, for each method it defines, which headers MUST be part of the
> digest. That should, one would hope, allow us to avoid negotiation. I can
> see a later spec which adds negotiation on which headers must be digested
> but that need not be part of the base spec.
> 
> Other than this single problem, I'm a big fan of digest and would love to
> recommend its implementation in IE.
> 
> 		Yaron
> 
> > -----Original Message-----
> > From:	Scott Lawrence [SMTP:lawrence@agranat.com]
> > Sent:	Wednesday, December 17, 1997 5:38 AM
> > To:	John C. Mallery
> > Cc:	HTTP Working Group
> > Subject:	Re: Digest mess
> > 
> > 
> > 
> > On Wed, 17 Dec 1997, John C. Mallery wrote:
> > 
> > > Yea, and now Internet Explorer 4.0 has broken their digest
> > implementation
> > > form 3.0. Of course, netscape doesn't do digests.
> > 
> >   Internet Explorer doesn't do digest and never has.
Received on Monday, 5 January 1998 06:51:30 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT