- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Fri, 26 Jan 1996 14:34:21 PST
- To: pjc@trusted.com
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
If you could suggest specific wording changes, e.g., for draft-ietf-http-v10-spec-04.txt section 12.1: > 12.1 Authentication of Clients > As mentioned in Section 11.1, the Basic authentication scheme is > not a secure method of user authentication, nor does it prevent the > Entity-Body from being transmitted in clear text across the > physical network used as the carrier. HTTP/1.0 does not prevent > additional authentication schemes and encryption mechanisms from > being employed to increase security. that would be very useful. I do think that this is an issue that needs resolution before HTTP/1.0 goes out the door. Basic authentication does not actually imply that plaintext passwords are being used; the password can be one-time, e.g., with a securID. For what it's worth, I'm not sure: > HTTP/1.0 does not prevent > additional authentication schemes and encryption mechanisms from > being employed to increase security. carries a lot of meaning to the uninitiated.
Received on Friday, 26 January 1996 14:37:15 UTC