- From: John Franks <john@math.nwu.edu>
- Date: Wed, 17 Dec 1997 11:59:06 -0600 (CST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
The digest authentication specification has been stable for quite some time. There are numerous implementations which interoperate. Some of them (e.g. Apache) are widely deployed. The recent spate of posts have criticized it because 1) "it suffers from featuritis", and 2) "with just a couple of additions it could be really useful." As Roy Fielding pointed out the primary failing is that it is not implemented in MSIE and Netscape. The only thing we can do to remedy this is keep the specification on track. The only reason this came up at this point was that because a hash of the Date, L-M and Expires headers can be part of the response there could be a problem for servers with no clock if a proxy added a Date header. There is a simple answer to this which is that proxies should not be allowed to add or change Date, L-M or Expires headers. There are no known implementations which do so and no one has suggested any reason it is necessary to do so. In short there is nothing wrong with digest. It works; there are implementations; they interoperate. We would like more implementations and the way to get that is keep the specification on track. John Franks john@math.nwu.edu
Received on Wednesday, 17 December 1997 10:04:23 UTC