- From: Lou Montulli <montulli@netscape.com>
- Date: Tue, 27 Aug 1996 13:45:37 -0700
- To: Michael Smith <ms@gf.org>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Lou Montulli wrote:
>
> Michael Smith wrote:
> >
> > Daniel DuBois <dan@spyglass.com> wrote:
> >
> > >"SHOULD" is clearly not going to get Netscape to support Digest.
> > > The only thing that we can *hope*
> > >will get Netscape to support Digest is the threat of slapping "HTTP/1.1
> > >uncompliant" on them publicly and hope it shames them into supporting it.
> > >
> >
> > Is it true that Netscape opposes Digest? Why? Is there anybody from Netscape
> > on the list who can comment on this? Failing that, is there anybody not from
> > Netscape who's willing to offer a hypothesis?
>
> We had been adding support for digest auth back in 1.1 but
> then some folks decided to keep changing the spec so we
> dropped the feature.
>
> At this point there isn't any good reason to add such a weak
> authorization scheme when certificates are available already.
>
> Why would you ever want to use digest if you already have
> certificate support?
Before everyone gets angry at me, allow me to refute my
own message.
While I still feel that certificates are *way* better when
they are used, realistically speaking, they are much
harder to put into every users hands.
On the other hand Digest auth is *way*, *way* better than
basic auth and can be put into place fairly easily by
adding support in new clients and servers. For that
reason they are worth implementing even given the
existance of certificates.
:lou
--
Lou Montulli http://www.netscape.com/people/montulli/
Netscape Communications Corp.
Received on Tuesday, 27 August 1996 13:47:29 UTC