- From: Fisher Mark <FisherM@is3.indy.tce.com>
- Date: Thu, 04 Jan 96 10:47:00 PST
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Alex Hopmann writes in <199601040336.TAA02558@nic.cerf.net>: >I think I would greatly prefer #2. While I have been one of the people >pointing out some of the problems with Digest and trying to get a "better" >scheme developed, I agree strongly with the comments made by other people in >this thread- Digest works great as it is as something that is better than >Basic. Basically I would claim that "Given the design criteria of Digest >authentication, it doesn't have major holes, and we have shown that we can >create interoperable implementations". I don't think it needs to be the >end-all-be-all of security as long as the RFC makes clear its security >weaknesses. As someone who has held a U.S. SECRET clearance, I know that you don't always need the absolutely most secure procedures to ensure adequate security (i.e. I prefer #2 also). "Adequate", though, tends to be circumstance-specific. If you *really* are concerned about security, you wouldn't even receive this mailing list at your main computer, instead shunting it to an *email-only* system. Not to mention directly connecting your main computer to the Internet, even through a firewall -- you would have a physically separate network for Internet-connected computers, like defense contractors sometimes do. ====================================================================== Mark Leighton Fisher Thomson Consumer Electronics fisherm@indy.tce.com Indianapolis, IN
Received on Thursday, 4 January 1996 07:53:04 UTC