W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 13 Jun 2007 10:16:27 +1200
Message-ID: <466F1B3B.3040409@qbik.com>
To: Mark Nottingham <mnot@mnot.net>
CC: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Julian Reschke <julian.reschke@gmx.de>, Apps Discuss <discuss@apps.ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>


my experience also is that it is extremely rare to encounter public web 
servers that use any HTTP auth mechanism.

NTLM and Basic auth is often used for intranets, and proxy access.

I've never seen an instance of Digest auth.

Seems to me that the issue of securing communications and authenticating 
or identifying parties are closely aligned, why not just have some form 
of auth built into TLS, then we could use it for any protocol that can 
use TLS, instead of having to implement separate auth schemes for every 
higher protocol.


Mark Nottingham wrote:
>
>
> On 08/06/2007, at 6:10 PM, Stephane Bortzmeyer wrote:
>
>>
>> On Thu, Jun 07, 2007 at 06:18:13PM +0200,
>>  Julian Reschke <julian.reschke@gmx.de> wrote
>>  a message of 14 lines which said:
>>
>>> In the wild, most authentication isn't using RFC2617 anyway.
>>
>> Any data here? IMHO, this assertion is not true, unless you limit to
>> big e-commerce Web sites. For instance, HTTP-based Web services use
>> 2617.
>
> My experience is that it isn't adequate for even those purposes, in 
> many cases.
>
> -- 
> Mark Nottingham     http://www.mnot.net/
>
>
Received on Tuesday, 12 June 2007 22:16:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT