W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: I command you to support Digest!!!

From: Lisa Dusseault <lisa@xythos.com>
Date: Fri, 26 Oct 2001 09:55:48 -0700
To: "Larry Masinter" <LMM@acm.org>, "Jason Crawford" <ccjason@us.ibm.com>
Cc: <w3c-dist-auth@w3.org>
Message-ID: <HPELJFCBPHIPBEJDHKGKAEJMCPAA.lisa@xythos.com>

> I think what RFC 2518 says is that WebDAV clients
> must USE digest authentication for authentication.

Currently it says "WebDAV applications MUST support the Digest
authentication scheme".
Yours might be a nice clarification (is an application a client, a server or
both?), but we'd have to say something about servers as well.

> (a) means that if you have a compliant client and
> a compliant server, they should work together.
> Letting servers implement basic with SSL only
> without requiring clients to implement basic
> with SSL means you wouldn't have interoperability.
> Requiring clients to implement SSL means (I think)
> that you're requiring them to implement patented
> technology.

What patented technology are you talking about?  In practice, SSL requires
RSA, but the patent has expired.   There are also plenty of unpatented
symmetric algorithms usable with SSL.  It's true that SSL is patented itself
by Netscape but they've released it for royalty-free use  (see rfc2246
appendix G.)  Is there still an issue with that?

Aside from the patent issues, we might consider whether it's now reasonable
to require WebDAV clients to support SSL.

I agree that it's too weak to say nothing or to say "authentication must be
supported"; for the reasons Larry outlines we need to specify which
mechanisms.

lisa
Received on Friday, 26 October 2001 12:56:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT