- From: David W. Morris <dwm@xpasc.com>
- Date: Wed, 21 Jan 1998 09:49:01 -0800 (PST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: Yaron Goland <yarong@microsoft.com>, "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
On Tue, 20 Jan 1998, Paul Leach wrote: > > A replayable Digest is just as bad as Basic. There is obviously some disagreement here .... that statement may be true if you limit your considerations to HTTP requests .... but when you consider that all users of some operating systems are forced to use the same userid and password for HTTP *AND* for login to those systems there is a hugh difference between basic which allows for trivial recovery of login credentials and digest which doesn't. And the vendor furnished limitations are just one problem. It is well known that humans tend to use the same passwords in unrelated contexts when given the opportunity to choose their own. It sure seemed like we had concenus that getting rid of plain text passwords (and I'm sorry but base64 encoding is plain text, just like translating it to ebccic would be) was essential and that all the other desirable functionality would be covered in digest-ng. Dave Morris
Received on Wednesday, 21 January 1998 09:51:24 UTC