- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Sun, 9 Sep 2007 18:47:58 -0700
- To: "Iljitsch van Beijnum" <iljitsch@muada.com>, "Alexey Melnikov" <alexey.melnikov@isode.com>
- Cc: <ietf-http-auth@osafoundation.org>, <discuss@apps.ietf.org>, <saag@mit.edu>, <ietf@ietf.org>, <ietf-http-wg@w3.org>
> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com] > During the reading of this document, it occurred to me that > HTTP digest authentication (RFC 2617) rather than the widely > used practice of having security credentials be typed into an > HTTP form would achieve 90% of the requirements all by > itself. Well maybe if people had listened to me then :-) But at this point fifteen years later Digest is not the way to go. First Digest was designed under the express constraint of avoiding patent encumberances. RSA and D-H were both off the table at the time. If I was to redo Digest today or expand its scope I would do it differently. The main reason I would not is that SAML and WS-* both provide an excellent solution. I very much like and support the Cardspace idea of building into the O/S platform. I very much like the OpenID concept of making the barrier to entry very low. I would like to arrive at a happy combination of the existing proposals not see more proposals put on the table at this point.
Received on Monday, 10 September 2007 01:51:21 UTC