RE: Microsoft to Strike IE URL Passwords from Paul Leach on 2004-01-30 (ietf-http-wg@w3.org from January to March 2004)

From: Paul Leach <paulle@windows.microsoft.com>
Date: Fri, 30 Jan 2004 14:32:09 -0500 (EST)
To: "Dave Kristol" <dmk@acm.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-ID: <91D7F2CEE3425A4A9D11311D09FCE24606F60C18@WIN-MSG-10.wingroup.windeploy.ntdev.mi>

You read it incorrectly. We're changing IE so that passwords embedded in
HTTP URLs won't be allowed. This puts us in compliance with 2616 and 1738
(and sucessor). 

> -----Original Message-----
> From: ietf-http-wg-request@w3.org 
> [mailto:ietf-http-wg-request@w3.org] On Behalf Of Dave Kristol
> Sent: Thursday, January 29, 2004 11:38 AM
> To: HTTP Working Group
> Subject: Microsoft to Strike IE URL Passwords
> 
> 
> 
> 
> 
> <http://www.internetnews.com/dev-news/article.php/3305741>
> 
> If I understand this article correctly, it sounds like MS IE 
> will remove support for Basic Authentication.  While we all 
> agree that cleartext passwords are evil, this sounds to me 
> like it will create a major compatibility problem at sites 
> that use Basic.  And note that it covers Basic over SSL, too, 
> where the passwords would *not* be cleartext.
> 
> Dave Kristol
> 
>

Received on Saturday, 31 January 2004 09:31:23 UTC