- From: Kris Benson <doctorkb@synaptic.net>
- Date: Fri, 19 Jan 1996 19:10:50 -0801 (PST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
There has been some discussion on the possibility of omitting the 'Basic' Authentication scheme in the newest version of the spec. Here are my thoughts: 1) While the 'Basic' scheme *is* insecure, it is already considered a *standard*. Almost all browsers support it and it allows webmasters and developers alike to put some sort of 'protection' on their pages, albeit limited, however existant. If we obliterate this from the spec, then we end up with something like Netscape's SSL. Proprietary, and not-widely-supported. This is not necessarily A Good Thing (as it has been for Netscape) simply because we are attempting to build a platform which will be client independant, regardless of the platform or client. 2) If it is removed, it should either be replaced or transfered to another ID or RFC for it or another backwardly compatable authentication method for the HTTP protocol. Perhaps something to the effect of the server sending the salt, the client encrypting it's password, and sending it back for authentication. 3) In short, web developers depend on this part of the standard as much as any other part, and it must remain part of a standard or at least included for backwards compatability. -- Kris "The Doctor" Benson <kris@hackers-unlimited.com> President, Hackers Unlimited Personal HomePage: http://www.hackers-unlimited.com/doctorkb/ Hackers Unlimited: http://www.hackers-unlimited.com/ JAPH, HTMLer, Webmaster, UNIX guy for hire...
Received on Friday, 19 January 1996 19:12:54 UTC