Re: http-digest-aa-rev-00.txt

Please stop.

The specification does _not_ precluded other mechanisms for password
authentication for HTTP. Many web sites use stronger mechanisms for
security in HTTP, usually by using https with alternative methods of
logging in.

All we've done is set the minimum to be something that everyone can do,
easily.

This is a topic that we addressed at length in the past. The topic
is closed. There will be no further discussion in the HTTP working
group of 'alternatives to digest authentication'.

There *was* another working group on HTTP security, and they
also closed. If you want to start work on this topic, on raising
the requirement for HTTP security to be a stronger authentication
mechanism, I suggest you call for a BOF and try to get the interested
implementor community to come.

If you wish to suggest some editorial change to the wording of the
draft that goes beyond what is already there, then please make some
specific suggestions; however, check your conspiracy theories at the
door.

Thanks,

Larry
(as chair, HTTP-WG)
--
http://www.parc.xerox.com/masinter

Received on Wednesday, 6 August 1997 18:21:46 UTC