Re: 'Basic' Authentication...

Along the lines of

12.1 Authentication of Clients

	As mentioned in Section 11. WWW-Authenticate provides a challenge
	response mechanism. Section 11.1 describes the Basic authentication
	scheme which allows the client to present the realm data to the
	user and for the user to enter a response. 

	Basic authentication scheme makes no attempt to hide the users 
	response but when used inconjunction with one-time password systems
	can still lead to a high level trust for this one request.

	Basic authentication when used with re-usable passwords is NOT a
	secure method of user authentication.

	Basic authentication does not prevent the Entity-Body from being
	transmitted in clear text across the physical network used as the

	HTTP/1.0 does not prevent additional authentication schemes and
	encryption mechanisms from being employed to increase security.


I don't believe that we need to explain what one-time passwords are or the
details in implementing them. Some one-time systems need prior knowledge 
(S/Key, Digital Pathways SNK) other do not ( Securid and other time based

Can WWW-Authenticate headers be sent only in a 401 Response? or could they be
added to all responses? Useful when using smartcards and other automatic
/non-manual systems.


The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850

Received on Friday, 26 January 1996 17:02:32 UTC