W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

Re: Resolving Digest authentication issue

From: Alan Kent <ajk@mds.rmit.edu.au>
Date: Fri, 2 Nov 2001 13:52:54 +1100
To: w3c-dist-auth@w3.org
Message-ID: <20011102135254.G7312@io.mds.rmit.edu.au>
On Thu, Nov 01, 2001 at 05:52:37PM -0800, Jim Whitehead wrote:
> * Basic MUST NOT be used unless the connection is secure. Secure is defined
> to be TLS over the Internet, a physically secure network, or a network
> behind a well-administered firewall.
> 
> Client requirements: MUST support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
> Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
> 
> * Digest SHOULD be used when the connection is insecure, such as a non-TLS
> connection over the Internet.
> 
> Client requirements: MUST support Digest
> Server requirements: SHOULD support Digest, but it is acceptable for Digest
> authentication to be disabled by default. It SHOULD be possible for an
> administrator to configure a server to use Digest.
> 
> * Additional authentication schemes beyond Basic and Digest MAY be
> supported, whether or not described in an IETF specification. Implementors
> should be aware that use of other authentication schemes guarantees some
> level of non-interoperation of that authentication scheme, since all WebDAV
> clients and servers cannot be expected to support that authentication
> scheme.
> 
> * Finally, to guarantee some level of authentication will be possible: a
> server MUST at minimum support either Basic OR Digest. A server SHOULD
> support Basic AND Digest.
...
> Comments?
> 
> - Jim

Sounds good to me.
Alan
Received on Thursday, 1 November 2001 21:53:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT