- From: Dave Kristol <dmk@allegra.att.com>
- Date: Mon, 26 Aug 96 09:45:45 EDT
- To: koen@win.tue.nl
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
koen@win.tue.nl (Koen Holtman) wrote: > I feel that digest authentication is a `may support' feature, not a > `must support' feature for HTTP/1.x applications. I feel that > compliance with 1.1 must _not_ require support for digest > authentication: support for various authentication methods has always > been optional in HTTP. If support were required, this would greatly > increase the requirements on a minimal 1.1 application, which is a bad > thing. I would like to see it be mandatory. Here's why. 1) We would like Digest to supersede Basic. 2) As long as there's uncertainty that Digest is widely supported by browsers, servers will of necessity ask for authentication by either. (That's assuming they support Digest themselves.) 3) If servers can ask for both kinds of authentication, there's no incentive for browser vendors to support Digest. So (I believe) they won't. So here's a proposal: if an HTTP/1.1 agent (client or server) supports Basic, it must also support Digest. Authentication support remains optional, but it's all or none. Dave Kristol
Received on Monday, 26 August 1996 06:49:36 UTC