- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Fri, 19 Jan 1996 20:05:05 PST
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I've not heard anyone propose that we remove basic authentication. Phill wrote in a message that 'it would be a logical consequence' of my arguments to do so, but I don't believe that. As for digest authentication: Donald Eastlake said: > If simple changes to digest can significantly improve it, then I guess > they should be done, but of course that does not extent to trying to > make it some some kind of bulletproof cryptographic authentication > protocol repleat with certificates and who knows what else. Phillip Hallam-Baker said: > I propose that we accept the following proposals :- > 1) Adding an algorithm parameter. > 2) Describe in detail construction of nonces. > Here there are a number of tricks already in use which ensure that > a nonce is only valid for requests comming from a single TCP/IP > address. and that he was looking into Allan's other proposals. Robert Denny said: leave Digest alone Eric Sink said: We would appreciate it if you did not change Digest in a non-compatible fashion. John Franks echoed Eric's remarks. I had suggested that the Digest Authentication draft be more explicit about the limitations of security using it, and didn't hear any objections to that. In fact, it is a requirement that RFCs have a 'Security Considerations' section, and we won't get far without one. I think to address these issues, we need a revised draft. Once we have a revised draft, we can go to last call. It sounds like we want to handle this as a separate draft which can be standards track, and included by reference in the HTTP/1.1 standard as well as applied to HTTP/1.0. Is that OK? There are 6 names on the draft; will one of you commit to revising the draft along these lines in the very near future? It seems like getting the security considerations section right will take a little work.
Received on Friday, 19 January 1996 20:09:00 UTC