- From: Peter J Churchyard <pjc@trusted.com>
- Date: Fri, 26 Jan 1996 20:00:00 -0500 (EST)
- To: Larry Masinter <masinter@parc.xerox.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Along the lines of ----------------------------------------------------------------------------- 12.1 Authentication of Clients As mentioned in Section 11. WWW-Authenticate provides a challenge response mechanism. Section 11.1 describes the Basic authentication scheme which allows the client to present the realm data to the user and for the user to enter a response. Basic authentication scheme makes no attempt to hide the users response but when used inconjunction with one-time password systems can still lead to a high level trust for this one request. Basic authentication when used with re-usable passwords is NOT a secure method of user authentication. Basic authentication does not prevent the Entity-Body from being transmitted in clear text across the physical network used as the carrier. HTTP/1.0 does not prevent additional authentication schemes and encryption mechanisms from being employed to increase security. ----------------------------------------------------------------------------- I don't believe that we need to explain what one-time passwords are or the details in implementing them. Some one-time systems need prior knowledge (S/Key, Digital Pathways SNK) other do not ( Securid and other time based systems). Can WWW-Authenticate headers be sent only in a 401 Response? or could they be added to all responses? Useful when using smartcards and other automatic /non-manual systems. Pete. -- The TIS Network Security Products Group has moved! voice: 301-527-9500 x123 fax: 301-527-0482 2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Friday, 26 January 1996 17:02:32 UTC