- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Wed, 3 Jan 1996 18:26:06 PST
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I'm just trying to figure out how to deal with 'Digest Authentication' in the face of claims that the mechanism has well known holes and limitations. Here are the procedural options, as far as I can see them: 1- Submit as Proposed standard as part of HTTP/1.1 2- Submit as Proposed standard as a separate document 3- Submit as Informational, as part of HTTP/1.0 4- Submit as Informational, as a separate document 5- Don't handle as part of IETF The problem with options 1 and 2 is whether such Proposed Standards would have a chance of actually making it to Standard without change. I don't think this will work out: the standards track really does require us to propose solutions that don't have major holes, and if we're not interested in fixing the known problems, trying to move along standards track is inappropriate. The problem with option 3 is that it would delay the (already late) HTTP/1.0 spec. So, I'm leaning toward option 4 or 5. With option 4, it is likely that if you submit it in the current form, the IESG would either add or require the authors to add appropriate disclaimers as to how Digest Authentication might not add significant additional security above and beyond Basic Authentication. Is this agreeable? I'd like to get the 'Digest Authentication' item out of its currently stalled status, and move forward on this one way or another.
Received on Wednesday, 3 January 1996 18:29:44 UTC