Re: RFC1734

> Does not map onto http very well. WWW-Auth/Authorization already provides
> the basic framework. I apologise if this is not what you were talking about
> and were discussing replaceing 1725's APOP with 1734.

It is not what I was talking about. I was talking about APOP in POP3, not APOP
in HTTP, here. I understand that AUTH doesn't map into HTTP very well, nor was
I suggesting that it be so mapped.

> As a firewall proxy implementor APOP has a very useful attribute. If the
> firewall can auth the user, then the firewall can use the same info to
> authenticate with an APOP server. APOP is one of the few existing mechanisms
> that allow this and yet are strong.

You still have not explained why APOP is superior to digest authentication in
any way. You are going to have to address this if you expect this proposal to
go anywhere. The ability to use a shared secret in multiple contexts is always
an option regardless of the specifics of the scheme, and thus is not an
advantage unique to APOP.


Received on Tuesday, 20 February 1996 13:38:00 UTC