- From: Lisa Dusseault <lisa@xythos.com>
- Date: Fri, 26 Oct 2001 09:55:48 -0700
- To: "Larry Masinter" <LMM@acm.org>, "Jason Crawford" <ccjason@us.ibm.com>
- Cc: <w3c-dist-auth@w3.org>
> I think what RFC 2518 says is that WebDAV clients > must USE digest authentication for authentication. Currently it says "WebDAV applications MUST support the Digest authentication scheme". Yours might be a nice clarification (is an application a client, a server or both?), but we'd have to say something about servers as well. > (a) means that if you have a compliant client and > a compliant server, they should work together. > Letting servers implement basic with SSL only > without requiring clients to implement basic > with SSL means you wouldn't have interoperability. > Requiring clients to implement SSL means (I think) > that you're requiring them to implement patented > technology. What patented technology are you talking about? In practice, SSL requires RSA, but the patent has expired. There are also plenty of unpatented symmetric algorithms usable with SSL. It's true that SSL is patented itself by Netscape but they've released it for royalty-free use (see rfc2246 appendix G.) Is there still an issue with that? Aside from the patent issues, we might consider whether it's now reasonable to require WebDAV clients to support SSL. I agree that it's too weak to say nothing or to say "authentication must be supported"; for the reasons Larry outlines we need to specify which mechanisms. lisa
Received on Friday, 26 October 2001 12:56:53 UTC