W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1996

Re: 'Basic' Authentication...

From: Peter J Churchyard <pjc@trusted.com>
Date: Fri, 26 Jan 1996 20:00:00 -0500 (EST)
Message-Id: <9601270100.AA07162@hilo.trusted.com>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Along the lines of

12.1 Authentication of Clients

	As mentioned in Section 11. WWW-Authenticate provides a challenge
	response mechanism. Section 11.1 describes the Basic authentication
	scheme which allows the client to present the realm data to the
	user and for the user to enter a response. 

	Basic authentication scheme makes no attempt to hide the users 
	response but when used inconjunction with one-time password systems
	can still lead to a high level trust for this one request.

	Basic authentication when used with re-usable passwords is NOT a
	secure method of user authentication.

	Basic authentication does not prevent the Entity-Body from being
	transmitted in clear text across the physical network used as the

	HTTP/1.0 does not prevent additional authentication schemes and
	encryption mechanisms from being employed to increase security.


I don't believe that we need to explain what one-time passwords are or the
details in implementing them. Some one-time systems need prior knowledge 
(S/Key, Digital Pathways SNK) other do not ( Securid and other time based

Can WWW-Authenticate headers be sent only in a 401 Response? or could they be
added to all responses? Useful when using smartcards and other automatic
/non-manual systems.


The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Friday, 26 January 1996 17:02:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:42:57 UTC