- From: David W. Morris <dwm@shell.portal.com>
- Date: Tue, 27 Aug 1996 01:31:34 -0700 (PDT)
- To: http working group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
On Mon, 26 Aug 1996, John Franks wrote: > I strongly agree with Dave. I think his arguments are very sound. > I would clarify one point, though. It should be possible to support > Digest and not support Basic. But I like the requirement that > if Basic is supported then Digest must be also. I think Koen's > concerns about minimal implementations are met by the possibility of > supporting neither. I disagree weakly ... SHOULD is strong enough ... I have an HTTP application which at the 99.9% level will be deployed in a single machine. A password in the clear would not be exposed outside of the machine. Of the remaining .1%, the bulk will be on an intranet LAN where exposure is not a large risk. On that basis, we use basic authentication to restrict access from users outside the single machine. Hence, I believe it a reasonable design point to support BASIC w/o DIGEST. SHOULD support DIGEST provides an opportunity for carefully reasoned escape where other features are probably worth more of the implementation effort. Dave Morris
Received on Tuesday, 27 August 1996 01:36:31 UTC