Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

On Sat, 4 Nov 2006, Robert Sayre wrote:

> On 11/4/06, Henrik Nordstrom <> wrote:
> > lör 2006-11-04 klockan 10:47 -0800 skrev Lisa Dusseault:
> >
> > > So I guess a decision that CLIENTS MUST support Basic and Digest in a
> > > new HTTP RFC, might be signalled by a minor version bump.
> >
> > I too don't see thy a version bump would even be remotely needed in this
> > case. It's already the server who dictates which authentication
> > protocols is acceptable to the server,
> An HTTP/1.1 message is not a guarantee that the sender supports any
> authentication mechanism. Servers receiving a hypothetical HTTP/1.2
> message could make that assumption.

But in the end it doesn't matter, the server sends the appropriate
challange (assuming acceptable credentials weren't in the request)
and the challange is either understood or it isn't. The outcome
is essentially identical ... the request is authenticated or it isn't.

Yes, it takes an extra set of round trips as the server can't reject
the request out of hand. In terms of %age of total http network traffic,
it will be lost in the noise.

Received on Saturday, 4 November 2006 20:44:47 UTC