- From: Scott Lawrence <lawrence@agranat.com>
- Date: Wed, 07 Jan 1998 10:18:16 -0500
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>>>>> "DK" == Dave Kristol <dmk@bell-labs.com> writes:
DK> Repeat after me "Digest is meant to replace Basic."
I would just extend that to
"Digest is meant to replace Basic with something useful."
DK> Basic provides no message integrity. There may indeed be a need
DK> for a lightweight way to detect POST/PUT message integrity. But
DK> let's not necessarily force the latter on the former.
Even GET without at least some response integrity is of questionable
value, and without a digest you don't even get that (and you can if
you include a client nonce). I don't accept the argument that we
are doing something good by replacing one inadequate mechanism with
another inadequate one.
DK> Are you saying that the original Digest wouldn't play through proxies?
DK> If so, how would the more recent version do any better? (Unless you're
DK> referring to the way proxies may mung headers. Original Digest wasn't
DK> dependent on other headers.)
It was dependant on the headers for the entity integrity, and that's
essential (in my admittedly not-so-humble opinion :).
DK> I would hate to see the best be the enemy of the good here.
As I see it, I'm far from arguing for the 'best' here... just
'adequate'.
DK> I have had server support for Digest for nearly three years (and
DK> SimpleMD5 before that), and I've longed for widespread support of
DK> Digest in clients.
...and one argument that client vendors have made for why they have
not deployed it is that it is too weak - why would they be any
more motivated to provide Digest without integrity protection?
They have argued that Basic with SSL is better, and as things appear
to be going I would have a tough time making a technical case
otherwise.
--
Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com>
Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Wednesday, 7 January 1998 07:22:42 UTC