Re: Where should Digest go next?

>1- Submit as Proposed standard as part of HTTP/1.1
>2- Submit as Proposed standard as a separate document
>3- Submit as Informational, as part of HTTP/1.0
>4- Submit as Informational, as a separate document
>5- Don't handle as part of IETF
>The problem with options 1 and 2 is whether such Proposed Standards
>would have a chance of actually making it to Standard without change.
>I don't think this will work out: the standards track really does
>require us to propose solutions that don't have major holes, and if
>we're not interested in fixing the known problems, trying to move
>along standards track is inappropriate.

>Is this agreeable? I'd like to get the 'Digest Authentication' item
>out of its currently stalled status, and move forward on this one way
>or another.
I think I would greatly prefer #2. While I have been one of the people
pointing out some of the problems with Digest and trying to get a "better"
scheme developed, I agree strongly with the comments made by other people in
this thread- Digest works great as it is as something that is better than
Basic. Basically I would claim that "Given the design criteria of Digest
authentication, it doesn't have major holes, and we have shown that we can
create interoperable implementations". I don't think it needs to be the
end-all-be-all of security as long as the RFC makes clear its security

I also should state that I am suggesting #2 because I think that Digest can
work fine with both HTTP 1.0 and 1.1 and that it should be able to move
forward at its own pace.

Alex Hopmann
ResNova Software, Inc.

Received on Wednesday, 3 January 1996 19:42:09 UTC