- From: John Cowan <cowan@ccil.org>
- Date: Wed, 15 Nov 2006 14:38:31 -0500
- To: "Rice, Ed (ProCurve)" <ed.rice@hp.com>
- Cc: www-tag@w3.org
Rice, Ed (ProCurve) scripsit:
> For example, on the news source
> outlined in the post it clear that a news story doesn't need to use
> SHTML but if the user hasn't authenticated it would be easy to redirect
> the user to a login page and I do think that login page should use
> SHTML. Once the user has authenticated, the content may or may not
> raise to the level of secure content and if not straight HTML in fact
> would be preferable.
I assume s/HTML/HTTP/. In any case, basic HTTP authentication has no
concept of a "login page"; every request bears the authentication headers
except the first one, which fails with a 403. My present employer
deploys RSS feeds under basic authentication, for example, where
there would be no way to handle a login page if it did exist.
> So, what John's article doesn't say is 'yeah, I think its ok to pass
> passwords around in clear text' I believe he's saying 'only secure what
> you need to'.. I don't disagree with the latter. (John correct me if
> I've miss-read).
No, I do affirm that passing around passwords in clear text may be good
enough in particular cases, just as signs that say "UNAUTHORIZED PERSONNEL
KEEP OUT" may be enough, or easily-forced pin-tumbler locks, or any
number of other easily defeated technologies.
--
Some people open all the Windows; John Cowan
wise wives welcome the spring cowan@ccil.org
by moving the Unix. http://www.ccil.org/~cowan
--ad for Unix Book Units (U.K.)
(see http://cm.bell-labs.com/cm/cs/who/dmr/unix3image.gif)
Received on Wednesday, 15 November 2006 21:00:31 UTC