W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Re: CHALLENGE-ORDER: proposed change

From: Patrick McManus <mcmanus@appliedtheory.com>
Date: Mon, 3 Aug 1998 09:12:26 -0400 (EDT)
Message-Id: <199808031312.JAA30874@pat.appliedtheory.com>
To: Scott Lawrence <lawrence@agranat.com>
Cc: http-wg@cuckoo.hpl.hp.com, paulle@microsoft.com
good morning,

In a previous episode Scott Lawrence said...

:: I don't believe that leaving the choice of schemes to the browser creates
:: any problems that are not there anyway, so I propose the following

that's a key point.. in the end the browser needs to make the decision
of whether or not sending their credentials onto the wire is within
their security policy.

::     4.6 Weakness Created by Multiple Authentication Schemes
::     
::     An HTTP/1.1 server MAY return multiple challenges with a 401
::     (Unauthorized) response, and each challenge MAY use a different
::     scheme.  The user is free to choose from among the offered challenges
::     it understands and request credentials from the user based upon that
::     challenge.  The user agent SHOULD choose the scheme it considers to be
::     most secure; the Basic scheme, or any other scheme which transmits
::     credentials in a way that allows for replay of those credentials,
::     SHOULD NOT be used if there is an alternative available. 

I'd scratch the last portion of that ("; the Basic scheme, ...") as
being redundant. 

related point: It's important to me to keep UA based decisions out of
the spec. They're messy, non-scalable, and inevitably become
historical cruft you can never quite get rid of. I've currently only
got one in (Content-Encodings with respect to some unix versions of
netscape) this codebase, and would like to keep it that way.

The above proposed change satisfies my need while allowing an auth
upgrade path for clients.

-P
Received on Tuesday, 4 August 1998 06:42:36 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT