ons 2006-10-18 klockan 09:24 +0000 skrev Ingo Struck: > A formulation within an updated http/1.1 document could be > that a conforming server implementation MUST NOT use the > Basic auth scheme (or equally weak schemes), while clients > MAY support it, but if they do they MUST warn the user > decidedly -- if this seems to be too restrictive a SHOULD NOT > could still suffice. I would add "without adequate transport level security" to the above. Exchanges of plain-text passwords is often required for interoperability reasons far beyond the HTTP protocol as such. In very many applications the server simply MUST know the plain-text password of the user. The main reason why Digest auth hasn't been widely deployed and most still using Basic is because of these reasons. There is not very much as such wrong with Digest auth even if there is areas which can be improved (and many broken implementations), but in practice it's often completely useless as the backend systems doesn't support Digest auth, only other proprietary authentication protocols or plain text. Quite recently there was a standardisation effort which have brought Digest auth a bit closer to something deployable by extending RADIUS with Digest auth support. Hopefully this will make Digest a more available alternative. Regards Henrik
Received on Wednesday, 18 October 2006 10:21:00 UTC