W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 1999

RE: Authentication in existing WebDAV servers

From: Larry Masinter <masinter@parc.xerox.com>
Date: Tue, 2 Nov 1999 21:21:43 PST
To: "'WebDAV'" <w3c-dist-auth@w3.org>
Message-ID: <000001bf25bb$5162ba40$8230fdcd@copper.parc.xerox.com>
> Personally I like requiring that everyone support Digest.
> This is important for interoperability. You have to have some
>  minimum guaranteed level of security interoperability.
> However beyond that I think people should be allowed to be
> as stupid as they want. If they want to send Basic in the clear,
> if they want to avoid using authentication at all, that is their
> business.
> So long as people who do want to do the right thing can do the
> right thing then I'm happy. 
The question is whether what's in the spec is actually strong
enough to insure interoperability. In integrating network systems
with WebDAV,  seems that there is no guaranteed authentication
mechanism that you can be insured of supplying credentials to
that will work with most servers, even for servers that are
technically compliant with the spec. 

Right now, it says 
"WebDAV applications MUST support the Digest authentication scheme

But servers might "implement" digest, not allow digest authentication
for access rights to any of the server's collections.

Secondly, "Digest authentication" is itself may not be specific
enough; do you want to specify a minimum algorithm & qop value?

We've been having some difficulties finding interoperable
authentication mechanisms for non-browser-based WebDAV use.

There's no law that says "you must implement WebdAV", so people
can always implement whatever they want, and do! The question is
whether compliance guarantees interoperability. Right now,
it doesn't seem like it does, and the spec might need to change.

Received on Wednesday, 3 November 1999 00:22:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:20 UTC