RE: Authentication in existing WebDAV servers from Yaron Goland (Exchange) on 1999-11-02 (w3c-dist-auth@w3.org from October to December 1999)

From: Yaron Goland (Exchange) <yarong@Exchange.Microsoft.com>
Date: Tue, 2 Nov 1999 11:51:24 -0800
To: "'Greg Stein'" <gstein@lyra.org>
Cc: "Richard C." <zhengc@ea.oac.uci.edu>, "'WebDAV'" <w3c-dist-auth@w3.org>
Message-ID: <078292D50C98D2118D090008C7E9C6A603C96824@STAY.platinum.corp.microsoft.com>

Yes the spec absolutely bans the use of basic over an unsecure connection.
Frankly I hate language like this. If people want to do really stupid things
that don't effect interoperability then that should be their business.

However it was made clear to us that the absence of the previous language
would cause problems in our standardization.

So the language is in the spec.

Personally I like requiring that everyone support Digest. This is important
for interoperability. You have to have some minimum guaranteed level of
security interoperability. However beyond that I think people should be
allowed to be as stupid as they want. If they want to send Basic in the
clear, if they want to avoid using authentication at all, that is their
business.

So long as people who do want to do the right thing can do the right thing
then I'm happy.

		Yaron

> -----Original Message-----
> From: Greg Stein [mailto:gstein@lyra.org]
> Sent: Monday, November 01, 1999 11:47 PM
> To: Yaron Goland (Exchange)
> Cc: Richard C.; 'WebDAV'
> Subject: RE: Authentication in existing WebDAV servers
> 
> 
> All right... true... the spec is a bit different than I 
> implied. Section
> 17.1 spells it out. Yes, it must be supported (as opposed to always
> required), and yes, you can use anything you want... *IF* you 
> use a secure
> channel.
> 
> Over plain old HTTP, the spec does state that Basic must not be used.
> 
> Yes, I'm being picky here, but you were first :-)
> 
> Cheers,
> -g
> 
> On Mon, 1 Nov 1999, Yaron Goland (Exchange) wrote:
> > The spec says that digest MUST be supported. You can use 
> anything you want,
> > including nothing.
> > 
> > > -----Original Message-----
> > > From: Greg Stein [mailto:gstein@lyra.org]
> >...
> > > The WebDAV spec states that Digest authentication must be used.
> > > 
> > > However, all clients and servers, that I'm aware of, are 
> > > flexible in this
> > > regard. For example, Apache and mod_dav will allow the 
> use of Basic
> > > authentication.
> 
> --
> Greg Stein, http://www.lyra.org/
>

Received on Tuesday, 2 November 1999 14:51:41 UTC