RE: Digest mess

also --  digest is a lot easier to implement admin-wise than the other
currently available solution -- SSL

(SSL requires buying certs, reapplying for a cert after x years, etc.  ---
this is definitely NOT an out-of-the-box solution for things like secure web
admin for a backoffice server app)

> -----Original Message-----
> From:	Yaron Goland 
> Sent:	Tuesday, December 30, 1997 12:31 AM
> To:	'Scott Lawrence'; John C. Mallery; Roy T. Fielding (E-mail); Larry
> Masinter (E-mail)
> Cc:	HTTP Working Group; Paul Leach; Alex Hopmann; Henry Sanders
> (Exchange); Jim Whitehead (E-mail)
> Subject:	RE: Digest mess
> Actually, an old timer (you know who you are =) insists we did Digest in
> IE
> 2.0. However, I am informed that it was not in 3.0 or higher. I am
> considering recommending it for 5.0 or 6.0.
> The reasons I like Digest are:
> A) Digest is "good enough" for a lot of my scenarios. My users don't have
> public keys and aren't likely to have them for a very long time. However
> they do have passwords, lots of passwords, and Digest is a hell of a lot
> better than Basic.
> B) I can export the damn thing.
> C) I can actually perform proxy/firewall controls
> D) I can mux multiple authenticated requests with different users and
> passwords request/responses over a single connection (is there even a way
> to
> "re-authenticate" TLS with a different key or do you always have to break
> the connection?)
> The main thing I hate about Digest is:
> A) Can't digest arbitrary headers.
> This is a big deal for groups like WebDAV where new headers are being
> introduced which contain critical command information. For example the
> depth
> header specifies if a command applies to a single resource or a collection
> of resources. The destination header specifies the destination of a move
> or
> copy. Changing these headers would have a profound effect on the meaning
> of
> the method.
> Unfortunately this single complaint seems to be a show stopper for a group
> like WebDAV. Someone please demonstrate to me I'm wrong. You will have
> made
> my life much better.
> If this problem can be solved the WebDAV group would even be willing to
> specify, for each method it defines, which headers MUST be part of the
> digest. That should, one would hope, allow us to avoid negotiation. I can
> see a later spec which adds negotiation on which headers must be digested
> but that need not be part of the base spec.
> Other than this single problem, I'm a big fan of digest and would love to
> recommend its implementation in IE.
> 		Yaron
> > -----Original Message-----
> > From:	Scott Lawrence []
> > Sent:	Wednesday, December 17, 1997 5:38 AM
> > To:	John C. Mallery
> > Cc:	HTTP Working Group
> > Subject:	Re: Digest mess
> > 
> > 
> > 
> > On Wed, 17 Dec 1997, John C. Mallery wrote:
> > 
> > > Yea, and now Internet Explorer 4.0 has broken their digest
> > implementation
> > > form 3.0. Of course, netscape doesn't do digests.
> > 
> >   Internet Explorer doesn't do digest and never has.

Received on Monday, 5 January 1998 06:51:30 UTC