- From: John Franks <john@math.nwu.edu>
- Date: Wed, 6 Aug 1997 09:12:16 -0500 (CDT)
- To: David Jablon <dpj@world.std.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Wed, 6 Aug 1997, David Jablon wrote: > Gentlemen, > > I support your goal of replacing the clear-text > password method in HTTP with something stronger, but I > wonder about why you didn't consider something stronger. > Several password-based protocols are known that > are much better than the one described in this > document: > To quote from the draft: "Digest Authentication does not provide a strong authentication mechanism. That is not its intent. It is intended solely to replace a much weaker and even more dangerous authentication mechanism: Basic Authentication. An important design constraint is that the new authentication scheme be free of patent and export restrictions." The necessity to avoid any patent and export restrictions is fundamental. In particular, protocols which make any use of public-key techniques are not acceptable. John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Wednesday, 6 August 1997 07:13:52 UTC