- From: Jim Luther <luther.j@apple.com>
- Date: Tue, 17 Sep 2002 18:17:40 -0700
- To: Webdav WG <w3c-dist-auth@w3c.org>
(the post copied below reminded me to say something) The Mac OS X 10.2 WebDAV file system client posts a warning for Basic authentication over connections which are not secure. Because RFC2518 section 1.71 says, "Since Basic authentication for HTTP/1.1 performs essentially clear text transmission of a password, Basic authentication MUST NOT be used to authenticate a WebDAV client to a server unless the connection is secure", we thought about disabling Basic authentication until our client supports secure connections. However, we found many servers allow access over insecure connections, require authentication, but support only Basic and not Digest. Instead of cutting off access to those servers (which do not comply with RFC2518), we decided to allow Basic to be used but only after the user clicks through a warning dialog which reads, "You have been challenged by a WebDAV server which is not secure. If you continue and supply your username and password, they can be read while in transit." Once secure connection support is added to our client, we may revisit this issue and only allow Basic authentication when the connection is secure. I should have brought this issue up during the Interop event in Santa Cruz, because many of the servers I tested against there did not support Digest authentication. Since Digest support is a MUST in RFC2518, it would be nice if our client could depend on it and not have to bother users with a warning. - Jim On Tuesday, September 17, 2002, at 05:47 PM, Eric Sedlar wrote: > > As long as you don't mind a client saying something to the effect of: > > "This server does not support the minimal level of functionality that > <product> requires of a WebDAV server (ETags). We strongly discourage > you > from using this server, as you may lose work." > > when it points at your server, then go ahead and don't support ETags. > > --Eric > > ----- Original Message ----- > From: "Clemm, Geoff" <gclemm@rational.com> > To: "Webdav WG" <w3c-dist-auth@w3c.org> > Sent: Tuesday, September 17, 2002 6:50 AM > Subject: RE: ETags, was: Issues from Interop/Interim WG Meeting > > >> >> I agree. >> >> -----Original Message----- >> From: Julian Reschke [mailto:julian.reschke@gmx.de] >> Sent: Tuesday, September 17, 2002 4:58 AM >> To: Lisa Dusseault; Webdav WG >> Subject: ETags, was: Issues from Interop/Interim WG Meeting >> >> >> >>> From: w3c-dist-auth-request@w3.org >>> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Lisa Dusseault >>> Sent: Sunday, September 15, 2002 8:14 PM >>> To: Webdav WG >>> Subject: Issues from Interop/Interim WG Meeting >>> >>> ... >>> - Be clear in spec that servers MUST do ETags. Explain how necessary >>> this is to solve the lost update problem. >>> .. >> >> ETags are a good thing, correct. However, HTTP (RFC2616) doesn't >> require >> them, RFC2518 doesn't require them, and they '*aren't* required for >> interoperability. So there's no way to require them in RFC2518bis -- >> it >> would break all servers that don't have them. >> >> Julian >> >> -- >> <green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760 >> >> >
Received on Tuesday, 17 September 2002 21:17:53 UTC