W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: RFC2616 vs RFC2617, was: Straw-man charter for http-bis

From: <lists@ingostruck.de>
Date: Wed, 13 Jun 2007 09:57:42 +0000
To: Henrik Nordstrom <henrik@henriknordstrom.net>, Adrien de Croy <adrien@qbik.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <200706130957.43547.lists@ingostruck.de>

On Tuesday 12 June 2007 22:56, Henrik Nordstrom wrote:
> Yes, due to the brokenness not all the security features of Digest can
> be used (strict replay protection),
Even that could be done at the cost of additional round trips.

> but it's heaps better than Basic even without them..
>
> Using TLS is often overkill, and requires much more administration to
> get a certificate issued, installed etc.
For me this is the principal argument of using digest auth.
a) using TLS needs a cert which costs money and is overkill
   for some applications while on the other hand it is just
   grossly negligent to use basic over unencrypted connections
b) (see my mail from 2007-06-08 to the list), the application of a
   restricted (semi-)public proxy naturally cannot use any sort of
   TLS-auth because it needs to tunnel encrypted connections

Kind regards

Ingo
Received on Wednesday, 13 June 2007 08:46:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:10 GMT