W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 29 Feb 2012 12:39:15 -0800
Cc: Yoav Nir <ynir@checkpoint.com>, "etf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <90A2BD83-D5C6-431F-A044-F48572B63605@gbiv.com>
To: Henrik Nordström <henrik@henriknordstrom.net>
On Feb 29, 2012, at 12:20 PM, Henrik Nordström wrote:

> sön 2012-02-26 klockan 09:45 +0000 skrev Yoav Nir:
> 
>> This could be circumvented by adding request headers that advertise capabilities, but I don't think we like those much.
> 
> HTTP auth have response header that advertise capabilities. Works quite
> well. Just challenge for all the auth schemes you support and the client
> picks what it thinks is the best.

It doesn't work well if your goal is to never send passwords in the clear
and never share the true password (before being hashed) with each server,
but that's because of the lack of new auth schemes.  Hence, it isn't
actually useful for the introduction of new schemes that are intended
to solve those very problems.

....Roy
Received on Wednesday, 29 February 2012 20:39:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT