Re: 'Basic' Authentication...

If you could suggest specific wording changes, e.g., for
draft-ietf-http-v10-spec-04.txt section 12.1:

> 12.1  Authentication of Clients

>   As mentioned in Section 11.1, the Basic authentication scheme is 
>   not a secure method of user authentication, nor does it prevent the 
>   Entity-Body from being transmitted in clear text across the 
>   physical network used as the carrier. HTTP/1.0 does not prevent 
>   additional authentication schemes and encryption mechanisms from 
>   being employed to increase security.

that would be very useful. I do think that this is an issue that needs
resolution before HTTP/1.0 goes out the door. Basic authentication
does not actually imply that plaintext passwords are being used; the
password can be one-time, e.g., with a securID.

For what it's worth, I'm not sure:

> 					HTTP/1.0 does not prevent 
>   additional authentication schemes and encryption mechanisms from 
>   being employed to increase security.

carries a lot of meaning to the uninitiated.

Received on Friday, 26 January 1996 14:37:15 UTC