W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Re: Digest Authentication Challenge Ordering

From: Scott Lawrence <lawrence@agranat.com>
Date: Tue, 28 Jul 1998 17:22:41 +0000
Message-Id: <35BE08E1.A7B9DE18@agranat.com>
To: mcmanus@appliedtheory.com
Cc: http working group <http-wg@cuckoo.hpl.hp.com>
Patrick McManus wrote:

> My problem is that if my server doesn't list Basic as the first choice
> (but does list is as less preferred to Digest) some existing 1.0 clients
> that can't do digest but can do basic don't realize that basic is an
> option.. 

But those are buggy even with respect to 2068; it's one thing for us to aim
for compatibility with software that conformed to the Proposed Standard, but
to maintain compatibility with something that was broken with respect to
them can be too difficult a standard to meet.

> I'm generally in favor of 1 of two paths to resolve the issue:

>     1] remove the notion of server specified preference.. the
>     credentials belong to the client, it seems to me they should
>     understand what the risks are in sending them out on the
>     network. In this way the challenge specifes understandable
>     methods only.

It is only a preference, and does not mandate anything - a browser could
send basic when it might have sent digest; since the server cannot tell what
its complete capabilities are, it makes no difference.  Either basic is
acceptable or not.  Eventually, I hope that digest will be supported well
enough in browsers that I can recommend to my customers that they turn off
support for basic, but we've a long way to go...

>     2] introduce q values

That only makes the situation worse by increasing the number of browsers
that don't understand what you are doing.

-- 
Scott Lawrence            Consulting Engineer        <lawrence@agranat.com>
Agranat Systems, Inc.   Embedded Web Technology     http://www.agranat.com/
Received on Tuesday, 28 July 1998 10:36:13 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT