Re: RFC2617, was: Straw-man charter for http-bis

On Tuesday 12 June 2007 20:41, Henrik Nordstrom wrote:
> Yes, but I don't consider it an argument to drop MD5-sess.
Neither do I. Malimplementations sometimes indicate flaws in the spec,
but they are not an argument to drop what has been specified.
I don't want to drop it, I just want to move it out of rfc2617
and then create a proper description of it elsewhere.
The shorter and the more focused a spec, the higher the probability
that people get it right.
My point of having it separated is, that it is far more desirable
to have people at least getting MD5 digest right, than to have a
description of what is possible but rarely ever used.

> > > How do you do MD5-sess with MD5 for the target of MD5-sess?
If we speak of the "true target" (we both agree upon) of having
a digest server ignorant of H(A1), then there clearly is no way
to do it. If you just want to achieve what is the stated target
of MD5-sess outlined in the spec, then MD5 could do the same thing.

> > Of course you are right, that -- if the UAs properly implemented it --
> > a web server would only need "the session key" passed over from a
> > "3rd party authentication server".
>
> And that is the purpose of MD5-sess.
And the spec should say so or leave session based authentication alone.
If you feel there's need to retain it within rfc2617,
then I would say that a paragraph describing the functionality of
MD5-sess needs to be added.

Kind regards

Ingo

Received on Wednesday, 13 June 2007 08:34:38 UTC