- From: Alex Hopmann <hopmann@holonet.net>
- Date: Wed, 3 Jan 1996 19:36:46 -0800 (PST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>1- Submit as Proposed standard as part of HTTP/1.1 >2- Submit as Proposed standard as a separate document >3- Submit as Informational, as part of HTTP/1.0 >4- Submit as Informational, as a separate document >5- Don't handle as part of IETF > >The problem with options 1 and 2 is whether such Proposed Standards >would have a chance of actually making it to Standard without change. >I don't think this will work out: the standards track really does >require us to propose solutions that don't have major holes, and if >we're not interested in fixing the known problems, trying to move >along standards track is inappropriate. >Is this agreeable? I'd like to get the 'Digest Authentication' item >out of its currently stalled status, and move forward on this one way >or another. I think I would greatly prefer #2. While I have been one of the people pointing out some of the problems with Digest and trying to get a "better" scheme developed, I agree strongly with the comments made by other people in this thread- Digest works great as it is as something that is better than Basic. Basically I would claim that "Given the design criteria of Digest authentication, it doesn't have major holes, and we have shown that we can create interoperable implementations". I don't think it needs to be the end-all-be-all of security as long as the RFC makes clear its security weaknesses. I also should state that I am suggesting #2 because I think that Digest can work fine with both HTTP 1.0 and 1.1 and that it should be able to move forward at its own pace. Alex Hopmann ResNova Software, Inc. hopmann@holonet.net
Received on Wednesday, 3 January 1996 19:42:09 UTC