- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Wed, 29 Feb 2012 23:30:03 +0100
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
ons 2012-02-29 klockan 12:39 -0800 skrev Roy T. Fielding: > It doesn't work well if your goal is to never send passwords in the clear > and never share the true password (before being hashed) with each server, > but that's because of the lack of new auth schemes. Hence, it isn't > actually useful for the introduction of new schemes that are intended > to solve those very problems. I disagree. It allows for a clean transition. Yes, the goal is not reached until you can disable basic auth, but this does not mean it's not useful. It's not realistic to have a model of protocol evolution without transition period. There may be framework things to improve in that area making sure that user-agents are not easily fooled into downgrading to a less secure auth scheme than needed, but not sure it can be realistically done within HTTP/1.1. Regards Henrik
Received on Wednesday, 29 February 2012 22:30:30 UTC