- From: Spencer Dawkins <Spencer.Dawkins.sdawkins@nt.com>
- Date: Fri, 7 Aug 1998 10:14:12 -0400
- To: 'Paul Leach' <paulle@microsoft.com>, "'http-wg@hplb.hpl.hp.com'" <http-wg@hplb.hpl.hp.com>
I know what Paul is trying to say, and I agree that it would be a good thing. My question is, is "strongest" unambiguous? Does it just mean "maximum key length"? I'm not trying to be pedantic - this is an important part of protecting against "drop your shields" man-in-the-middle attacks, and I'd like to see the spec be pretty precise about a user's exposure to server selection of a "weaker" authentication scheme when a stronger scheme could be used. But I can't define "weak" and "strong" either! Spencer > -----Original Message----- > From: Paul Leach [SMTP:paulle@MICROSOFT.com] > Sent: Friday, August 07, 1998 2:57 AM > To: 'http-wg@hplb.hpl.hp.com' > Subject: RE: Digest Authentication Challenge Ordering > > I propose that the user-agent MUST choose the strongest auth-scheme it > understands. This permits the server to put Basic first for old browsers > (if > it finds Basic acceptably secure). The order really doesn't matter, since > the server is only supposed to offer minimally acceptable schemes.
Received on Friday, 7 August 1998 07:19:28 UTC