- From: Albert Lunde <Albert-Lunde@nwu.edu>
- Date: Mon, 9 Jan 1995 14:52:55 -0600
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 1:49 PM 1/9/95, Daniel W. Connolly wrote:
>From: "Electronic Commerce Standards for the WWW (Spyglass)"
>http://www.spyglass.com/techreport/stdsec.htm
>|Simple Authentication - OPTIONAL
>|
>|This scheme, proposed by Spyglass, uses a random challenge sent from
>|the server to the client. The client encodes the random challenge
>|using the user's password as an encryption key in order to establish
>|authentication. See Note B for a full specification.
>|
>|This method is currently indicated as OPTIONAL, but Spyglass believes
>|that it should become REQUIRED for HTTP compliance.
>
>This was something of an eye-opener. It's so simple. We should have
>been doing this all along. There was never any reason to send
>passwords in the clear (well, uuencoded), given HTTP's two-round-trip
>authentication mechanism.
This does look like a good idea. My one concern is that we'd want to make
sure various extension mechanisms could live together before standardizing
an Extension: header, but they seem to think this is not essential to make
the protocol work.
(Is there any other MD5 PW authentication proposals for WWW lurking around
in draft form? I think I've seen this before, but I'm not sure, and I think
it's been done lately for other protocols, too.)
---
Albert Lunde Albert-Lunde@nwu.edu
Received on Monday, 9 January 1995 12:56:39 UTC