- From: Josh <josh@early.com>
- Date: Thu, 13 Nov 1997 12:31:54 -0500 (EST)
- To: Scott Lawrence <lawrence@agranat.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
According to Scott Lawrence, > > I don't think that there is any interoperability reason why you > should not send unsolicited credentials (that is, I don't think that > it breaks the protocol itself to do so), but it makes no sense from > a security point of view: > > - With Basic all you're doing is publishing your password to someone > who may not need it or have any reason to get it (which is what > you're doing every time you use Basic anyway...) > > - With Digest you can't generate valid credentials without the nonce > from the challenge anyway. > I agree that you dont generally send unsolicited credentials, but the context isnt necessarily clear. If you are challenged for credentials initially, but a long while later (potentially hours) in the same browser session, you might send those same credentials again in a later transaction. One could argue that this would be unsolicited, since its possible for those credentials to be invalid at the later time. -- --- Josh Cohen josh@early.com
Received on Thursday, 13 November 1997 09:33:21 UTC