- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Wed, 17 Dec 1997 09:58:51 PST
- To: David Jablon <dpj@world.std.com>
- Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
[Administrative note: I'm trying to arrange for an alternate
HTTP-WG mailing list host so that we can continue discussions
during the nearly 3 weeks that 'cuckoo.hpl.hp.com' is not
available.]
I've reviewed the mail on this topic. On the general issue
of whether Digest authentication is 'worth it', this is a topic
that we've debated at length and come to a conclusion long ago.
The argument that it isn't worth the bother ('not better than
TLS') doesn't hold. That we could and should be working on
a replacement is not a good reason for not going forward with
what we have.
The original rationale for including digest authentication within
HTTP still holds: We cannot progress an Internet
Standard which ONLY has Basic Authentication as its authentication
method, and any other solution than Digest has more difficulties
than Digest.
We do not want to put HTTP/1.1 as Draft Standard on hold for a
year or two while we try to come up with an acceptable replacement
for Digest Authentication.
We're going to proceed with Digest Authentication as a separately
specified but mandatory part of HTTP/1.1. If there is a consensus
to make some changes to Digest Authentication in order to improve
its utility, then we'll make those changes. However, the subject
of "let's not do it at all" is closed. We need to either ship what
we have or modify it in a way that is generally acceptable.
Larry Masinter
(as chair, HTTP working group)
--
http://www.parc.xerox.com/masinter
Received on Wednesday, 17 December 1997 10:13:41 UTC