- From: Scott Lawrence <lawrence@agranat.com>
- Date: Tue, 28 Jul 1998 17:22:41 +0000
- To: mcmanus@appliedtheory.com
- Cc: http working group <http-wg@cuckoo.hpl.hp.com>
Patrick McManus wrote: > My problem is that if my server doesn't list Basic as the first choice > (but does list is as less preferred to Digest) some existing 1.0 clients > that can't do digest but can do basic don't realize that basic is an > option.. But those are buggy even with respect to 2068; it's one thing for us to aim for compatibility with software that conformed to the Proposed Standard, but to maintain compatibility with something that was broken with respect to them can be too difficult a standard to meet. > I'm generally in favor of 1 of two paths to resolve the issue: > 1] remove the notion of server specified preference.. the > credentials belong to the client, it seems to me they should > understand what the risks are in sending them out on the > network. In this way the challenge specifes understandable > methods only. It is only a preference, and does not mandate anything - a browser could send basic when it might have sent digest; since the server cannot tell what its complete capabilities are, it makes no difference. Either basic is acceptable or not. Eventually, I hope that digest will be supported well enough in browsers that I can recommend to my customers that they turn off support for basic, but we've a long way to go... > 2] introduce q values That only makes the situation worse by increasing the number of browsers that don't understand what you are doing. -- Scott Lawrence Consulting Engineer <lawrence@agranat.com> Agranat Systems, Inc. Embedded Web Technology http://www.agranat.com/
Received on Tuesday, 28 July 1998 10:36:13 UTC