Le 26-juin-08 à 11:49, SJ Kissane a écrit : > Seriously, in today's world, given the wide availability of both > proprietary and open source SSL/TLS solutions, and the significant > industry experience in implementing them (I mean, even my cell phone > does TLS!), is there any circumstances in which Digest authentication > is justified? Should not therefore digest authentication be simply > *deprecated*? By no means. There's one single reason why TLS/SSL has failed to be convincing to all users: self-signed-certificates are considered bad and announced as such. The wrong thing is that: identity and encryption have been put in the same basket so much that no user knows that SSL with, e.g., banks, is safe if you actually considered the certficate's identity name (that one is "guaranteed") and that it is the best anti-phishing way. Instead, people just speak about "secure" communication meaning... encrypted. And then self-signed certificates are considered bad practice. So the single reason of digest: no-annoyance no-password-in-the-clear. (since self-signed means annoyance). paul
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 September 2008 07:02:23 GMT