- From: Adrien de Croy <adrien@qbik.com>
- Date: Wed, 13 Jun 2007 10:16:27 +1200
- To: Mark Nottingham <mnot@mnot.net>
- CC: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Julian Reschke <julian.reschke@gmx.de>, Apps Discuss <discuss@apps.ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
my experience also is that it is extremely rare to encounter public web servers that use any HTTP auth mechanism. NTLM and Basic auth is often used for intranets, and proxy access. I've never seen an instance of Digest auth. Seems to me that the issue of securing communications and authenticating or identifying parties are closely aligned, why not just have some form of auth built into TLS, then we could use it for any protocol that can use TLS, instead of having to implement separate auth schemes for every higher protocol. Mark Nottingham wrote: > > > On 08/06/2007, at 6:10 PM, Stephane Bortzmeyer wrote: > >> >> On Thu, Jun 07, 2007 at 06:18:13PM +0200, >> Julian Reschke <julian.reschke@gmx.de> wrote >> a message of 14 lines which said: >> >>> In the wild, most authentication isn't using RFC2617 anyway. >> >> Any data here? IMHO, this assertion is not true, unless you limit to >> big e-commerce Web sites. For instance, HTTP-based Web services use >> 2617. > > My experience is that it isn't adequate for even those purposes, in > many cases. > > -- > Mark Nottingham http://www.mnot.net/ > >
Received on Tuesday, 12 June 2007 22:16:18 UTC