Re: CHALLENGE-ORDER: proposed change

David W. Morris wrote:

> If I were a server owner, I would be very inclined to examine the HTTP
> user-agent field and not offer multiple choices but rather the best
> choice known to be supported by the UA. I wonder if some or
> all of the following or other implementations suggestions should be
> documented:
> 
> 1.  Tell the end user what the authentication scheme is ...
> 2.  Provide a user-agent configuration option to allow the user to
>     refuse authentication using basic

In 4.8 we have:

User agents should consider measures such as presenting a visual
indication at the time of the credentials request of what authentication
scheme is to be used, or remembering the strongest authentication scheme
ever requested by a server and produce a warning message before using a
weaker one.  It might also be a good idea for the user agent to be
configured to demand Digest authentication in general, or from specific
sites.

> 3.  Provide server owners with the ability to restrict basic usage
>     to UAs based on UA identity .. perhaps not much better in MIM case
>     but it would insure that a UA which could use digest would use it.

The standard does not say anything now about what criteria may be used by
the server to choose the offered schemes, and to my way of thinking that
allows for any criteria at all, including UA identity (personally, keeping
up with what browsers send for identity is way too much trouble for me). 

> 4.  Provide applications with the ability to differentiate the level of
>     access based on authentication type. Read via basic but create/update
>     only by digest or better.

Again, I don't think that there is anything in the spec that forbids such a
thing, and it is therefor allowed (and, I think, is a good idea).

-- 
Scott Lawrence           Consulting Engineer      <lawrence@agranat.com>
Agranat Systems, Inc.  Embedded Web Technology   http://www.agranat.com/

Received on Friday, 31 July 1998 10:12:51 UTC