W3C home > Mailing lists > Public > xproc-dev@w3.org > February 2009

Re: [closed] Re: p:http-request's send-authorization use case?

From: Florent Georges <fgeorges@gmail.com>
Date: Thu, 5 Feb 2009 16:51:24 +0100
Message-ID: <ebaca5bf0902050751o280c6130if7e343f7da6c6d53@mail.gmail.com>
To: mozer <xmlizer@gmail.com>
Cc: Norman Walsh <ndw@nwalsh.com>, XProc Dev <xproc-dev@w3.org>

2009/2/5 mozer wrote:

>> If you know that you're using Basic authentication, then you can send
>> the credentials first and avoid the "got a 401, retry with
>> credentials" round trip.

>> > Why not always send credentials on
>> > the first request, when specified?  I guess this is related to
>> > security, to not send credentials without the user explicitly
>> > requesting so?

>> Credentials that you send on the first attempt are effectively clear
>> text. (They're hashed, but I think it's reversible.)

> Well small fix here : hashing is not reversible ; but using the hashed value
> you can reproduce the logging which is definitely a security issue

  I am not sure we speak about the same thing here, but in Basic
Authentication, the credentials are not encoded (yes, in base64, but
that's just for transport neutrality purpose, not for security.)

-- 
Florent Georges
http://www.fgeorges.org/
Received on Thursday, 5 February 2009 15:52:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 5 February 2009 15:52:31 GMT