- From: Vinod Valloppillil <vinodv@microsoft.com>
- Date: Mon, 5 Jan 1998 09:21:16 -0800
- To: Yaron Goland <yarong@microsoft.com>, 'Scott Lawrence' <lawrence@agranat.com>, "John C. Mallery" <jcma@ai.mit.edu>, "Roy T. Fielding (E-mail)" <fielding@ics.uci.edu>, "Larry Masinter (E-mail)" <masinter@parc.xerox.com>
- Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, Paul Leach <paulle@microsoft.com>, Alex Hopmann <alexhop@microsoft.com>, "Henry Sanders (Exchange)" <henrysa@exchange.microsoft.com>, "Jim Whitehead (E-mail)" <ejw@ics.uci.edu>
also -- digest is a lot easier to implement admin-wise than the other currently available solution -- SSL (SSL requires buying certs, reapplying for a cert after x years, etc. --- this is definitely NOT an out-of-the-box solution for things like secure web admin for a backoffice server app) > -----Original Message----- > From: Yaron Goland > Sent: Tuesday, December 30, 1997 12:31 AM > To: 'Scott Lawrence'; John C. Mallery; Roy T. Fielding (E-mail); Larry > Masinter (E-mail) > Cc: HTTP Working Group; Paul Leach; Alex Hopmann; Henry Sanders > (Exchange); Jim Whitehead (E-mail) > Subject: RE: Digest mess > > Actually, an old timer (you know who you are =) insists we did Digest in > IE > 2.0. However, I am informed that it was not in 3.0 or higher. I am > considering recommending it for 5.0 or 6.0. > > The reasons I like Digest are: > > A) Digest is "good enough" for a lot of my scenarios. My users don't have > public keys and aren't likely to have them for a very long time. However > they do have passwords, lots of passwords, and Digest is a hell of a lot > better than Basic. > > B) I can export the damn thing. > > C) I can actually perform proxy/firewall controls > > D) I can mux multiple authenticated requests with different users and > passwords request/responses over a single connection (is there even a way > to > "re-authenticate" TLS with a different key or do you always have to break > the connection?) > > The main thing I hate about Digest is: > > A) Can't digest arbitrary headers. > > This is a big deal for groups like WebDAV where new headers are being > introduced which contain critical command information. For example the > depth > header specifies if a command applies to a single resource or a collection > of resources. The destination header specifies the destination of a move > or > copy. Changing these headers would have a profound effect on the meaning > of > the method. > > Unfortunately this single complaint seems to be a show stopper for a group > like WebDAV. Someone please demonstrate to me I'm wrong. You will have > made > my life much better. > > If this problem can be solved the WebDAV group would even be willing to > specify, for each method it defines, which headers MUST be part of the > digest. That should, one would hope, allow us to avoid negotiation. I can > see a later spec which adds negotiation on which headers must be digested > but that need not be part of the base spec. > > Other than this single problem, I'm a big fan of digest and would love to > recommend its implementation in IE. > > Yaron > > > -----Original Message----- > > From: Scott Lawrence [SMTP:lawrence@agranat.com] > > Sent: Wednesday, December 17, 1997 5:38 AM > > To: John C. Mallery > > Cc: HTTP Working Group > > Subject: Re: Digest mess > > > > > > > > On Wed, 17 Dec 1997, John C. Mallery wrote: > > > > > Yea, and now Internet Explorer 4.0 has broken their digest > > implementation > > > form 3.0. Of course, netscape doesn't do digests. > > > > Internet Explorer doesn't do digest and never has.
Received on Monday, 5 January 1998 06:51:30 UTC