- From: Ted Guild <ted@w3.org>
- Date: Thu, 31 May 2007 21:16:24 -0400
- To: Jacek Kopecky <jacek.kopecky@deri.org>, "Ian B. Jacobs" <ij@w3.org>
- Cc: w3t-sys@w3.org
> -------- Forwarded Message -------- >> From: Jacek Kopecky <jacek.kopecky@deri.org> >> Subject: shorter /TR links and https://w3.org [] >> I have two items on the Website as it stands: >> >> 1) I suggest that w3.org be accessible over HTTPS, if only for >> Member-only resources. I'm getting tired of the feeling that I'm sending >> my W3C credentials over HTTP Basic authentication. Using a self-signed >> certificate would be sufficient from my POV. Jacek, Thank you for the suggestions. I will only respond to the first, you should receive a reply on the second as well. We have been unhappy with Basic Authentication but bound to it over Digest Authentication for a number of years due to an implementation problem (it doesn't implement https correctly) in several versions of a particular, widely used client. There is now a sufficient workaround for that client and we are considering, testing a development version of our custom Apache auth module in fact, moving in that direction. We are also just starting to evaluate OpenID as potentially more suitable for us for a number of reasons including Digest Authentication cannot be proxied by services (W3C pubrules, XSLT, our Validators, online Tidy, etc.). Serving all W3C content over SSL, redirecting to https only if authentication is required, would double the number of authenticated requests and the second request over SSL would cost us more in CPU resources encrypting the entire communication not just the credentials. Our server budget and volume of traffic on www.w3.org, lists.w3.org and other servers have persuaded us not to do this. We would also have the problem of https://www.w3.org being advertised (linked) by users for resources where no authorization is required. Regards, -- Ted Guild <ted@w3.org> W3C Systems Team http://www.w3.org
Received on Friday, 1 June 2007 01:17:18 UTC