Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) from Roy T. Fielding on 2012-02-29 (ietf-http-wg@w3.org from January to March 2012)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 29 Feb 2012 12:39:15 -0800
To: Henrik Nordström <henrik@henriknordstrom.net>
Cc: Yoav Nir <ynir@checkpoint.com>, "etf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <90A2BD83-D5C6-431F-A044-F48572B63605@gbiv.com>

On Feb 29, 2012, at 12:20 PM, Henrik Nordström wrote:

> sön 2012-02-26 klockan 09:45 +0000 skrev Yoav Nir:
> 
>> This could be circumvented by adding request headers that advertise capabilities, but I don't think we like those much.
> 
> HTTP auth have response header that advertise capabilities. Works quite
> well. Just challenge for all the auth schemes you support and the client
> picks what it thinks is the best.

It doesn't work well if your goal is to never send passwords in the clear
and never share the true password (before being hashed) with each server,
but that's because of the lack of new auth schemes.  Hence, it isn't
actually useful for the introduction of new schemes that are intended
to solve those very problems.

....Roy

Received on Wednesday, 29 February 2012 20:39:39 UTC