W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Wed, 29 Feb 2012 23:30:03 +0100
Message-ID: <1330554603.24673.92.camel@home.hno.se>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
ons 2012-02-29 klockan 12:39 -0800 skrev Roy T. Fielding:

> It doesn't work well if your goal is to never send passwords in the clear
> and never share the true password (before being hashed) with each server,
> but that's because of the lack of new auth schemes.  Hence, it isn't
> actually useful for the introduction of new schemes that are intended
> to solve those very problems.

I disagree. It allows for a clean transition. Yes, the goal is not
reached until you can disable basic auth, but this does not mean it's
not useful. It's not realistic to have a model of protocol evolution
without transition period.

There may be framework things to improve in that area making sure that
user-agents are not easily fooled into downgrading to a less secure auth
scheme than needed, but not sure it can be realistically done within
HTTP/1.1.

Regards
Henrik
Received on Wednesday, 29 February 2012 22:30:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT