Re: digest vs basic

On Wed, 28 Aug 1996, Peter J Churchyard wrote:

> As larry has pointed out, basic for client / server non persistant requests
> is a poor choice.
> 
> client - proxy  with persistant connection between client and proxy 
> when used with one time password systems ( as we do in our product) allows
> sites to authenticate strongly which of their users can do WEB stuff.
> 

This sounds interesting.  But I am not sure whether you 

   (1) Authenticate a client only once for a persistent connection,

or

   (2) Authenticate each transaction (reusing the password), but use
      a new password anytime there is a new connection.

Either would seem possible.  

If it is (1) then strictly speaking you are probably not HTTP
compliant since you are essentially making the Proxy-Authorization
header "sticky".  But I see no reason that your proxy shouldn't
interoperate with HTTP clients.

If it is (2) then you aren't strictly using one-time passwords, as the
same password is re-used for each transaction, but you should have
essentially all the benefits of one-time passwords.


John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu

Received on Wednesday, 28 August 1996 15:07:21 UTC