RE: Digest mess from Josh Cohen on 1998-01-07 (ietf-http-wg@w3.org from January to March 1998)

From: Josh Cohen <joshco@microsoft.com>
Date: Tue, 6 Jan 1998 18:16:09 -0800
To: 'Ned Freed' <Ned.Freed@innosoft.com>
Cc: 'Dave Kristol' <dmk@bell-labs.com>, HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <21FD6499922DD111A4F600805FCCD6F2BC35F1@red-86-msg.dns.microsoft.com>

My main point is that if digest does only one thing,
 prevent cleartext passwords, I am content.

If we can fix the digest proposal to do just that
and continue to move to draft standard, then we 
should to it.



--
Josh Cohen <joshco@microsoft.com>
Program Manager - Internet Technologies 

> -----Original Message-----
> From: Ned Freed [mailto:Ned.Freed@innosoft.com]
> Sent: Tuesday, January 06, 1998 5:41 PM
> To: Josh Cohen
> Cc: 'Dave Kristol'; HTTP Working Group
> Subject: RE: Digest mess
> 
> 
> > I agree.
> > (feel free to correct me if Im wrong..)
> 
> > There seems to be a lot of other protocols
> > or efforts which depend on HTTP um, security.
> > By having digest, they meet the IETF security
> > requirements, and may proceed.
> > If digest fails or comes out of the spec, this
> > will derail other efforts as well.
> 
> Actually it could well be the other way around. If Digest continues on its
> present course and continues not to be implemented there are going to be
> problems moving to Draft Standard. And if Digest stalls at Proposed 
> so will all
> the things that depend on it.
> 
> On the other hand, if Digest is "fixed"  the most that will happen is that
it
> will reset to proposed. This is not a big deal -- the most it will cause
is a
> delay. And if the "fix" facilitates implementation it will end up
facilitating
> the advancement of other work that depends on it.
> 
> The point I'm trying to make here is that continuing on the present course
may
> be the one thing that really isn't an option. So the question then
becomes,
> which change to Digest that's currently under consideration will
facilitate
> deployment and hence help the process along? (I do not pretend to know the
> answer to this.)
> 
> > I know that we're supposed to avoid favoring
> > "process" over technical soundness, but in this
> > case, I dont think that applies.
> 
> I think process issues do apply, although the way in which they do
> may not be obvious.
> 
> 				Ned
>

Received on Tuesday, 6 January 1998 18:21:27 UTC