- From: Roy T. Fielding <fielding@kiwi.ics.uci.edu>
- Date: Tue, 16 Dec 1997 00:40:30 -0800
- To: Larry Masinter <masinter@parc.xerox.com>
- Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
>> The current definition seems to have lost >> all of the advantages it had over transport-level encryption, > >Except that it doesn't require encryption. Sorry, I meant transport-level security (TLS). >This is critically important. Don't go off half-cocked. I agree it is critically important. It was critically important three years ago. That doesn't change the fact that it is dead. We keep fiddling with a dead mechanism as if adding one more feature will suddenly create the installed base necessary for its deployment. We can't deploy the thing because it is too complicated to require of all HTTP clients, and yet there is no negotiation framework for the client to signal its ability to handle the mechanism other than the HTTP-version. We (or somebody) should be working on a way to do this kind of thing in a clean manner, without reliance on aspects of HTTP over which the authentication process has no control, and in a manner that is separate from the very orthogonal concept of digest authentication. The stupid thing is that we could have required Digest two years ago if it hadn't picked up all this other cruft. And the first person who says "You can do that in PEP" had better be prepared to prove it (in some future WG to be named later). ....Roy [feeling particularly grumpy this morning, sorry]
Received on Tuesday, 16 December 1997 00:47:42 UTC