ons 2012-02-29 klockan 12:39 -0800 skrev Roy T. Fielding: > It doesn't work well if your goal is to never send passwords in the clear > and never share the true password (before being hashed) with each server, > but that's because of the lack of new auth schemes. Hence, it isn't > actually useful for the introduction of new schemes that are intended > to solve those very problems. I disagree. It allows for a clean transition. Yes, the goal is not reached until you can disable basic auth, but this does not mean it's not useful. It's not realistic to have a model of protocol evolution without transition period. There may be framework things to improve in that area making sure that user-agents are not easily fooled into downgrading to a less secure auth scheme than needed, but not sure it can be realistically done within HTTP/1.1. Regards HenrikReceived on Wednesday, 29 February 2012 22:30:30 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT