- From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Date: Mon, 28 Jan 2008 22:27:21 +0100
- To: Paul Hoffman <paul.hoffman@vpnc.org>
- Cc: ietf-http-wg@w3.org
On Mon, Jan 28, 2008 at 08:47:46AM -0800, Paul Hoffman <paul.hoffman@vpnc.org> wrote a message of 59 lines which said: > I strongly suspect that if you add up all the authentications done > on every HTTP server in the world today, forms+cookies+people would > win over ((nonforms+people) + (nonforms+nonpeople)). May be, it depends on the metrics you use :-) Number of installations, number of requests per day, number of US $ processed ? :-) My personal impression is that it is either forms+people or nonforms+nonpeople and the rest is marginal. What do other people think? I was extremely surprised that "nonpeople" uses of HTTP were, it seems, ignored from the version -00. > The sentence is about reusability, not general danger. The > reusability comes directly from the attacker being able to see the > Basic credential go by. No, it comes from the credential being static. If you use OTP, surely it does not matter if the attacker can see "the credential go by"? > Section 2.4 is explicly about "Web Services", not REST and the like. Well, in that case, I have to ask for the I-D to provide a definition for Web Services (I'm myself lost in the marketing talk). But it would be a strange definition if it excludes REST.
Received on Monday, 28 January 2008 21:28:01 UTC