- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Tue, 2 Nov 1999 21:21:43 PST
- To: "'WebDAV'" <w3c-dist-auth@w3.org>
> Personally I like requiring that everyone support Digest. > This is important for interoperability. You have to have some > minimum guaranteed level of security interoperability. > However beyond that I think people should be allowed to be > as stupid as they want. If they want to send Basic in the clear, > if they want to avoid using authentication at all, that is their > business. > > So long as people who do want to do the right thing can do the > right thing then I'm happy. The question is whether what's in the spec is actually strong enough to insure interoperability. In integrating network systems with WebDAV, seems that there is no guaranteed authentication mechanism that you can be insured of supplying credentials to that will work with most servers, even for servers that are technically compliant with the spec. Right now, it says "WebDAV applications MUST support the Digest authentication scheme [RFC2069]." But servers might "implement" digest, not allow digest authentication for access rights to any of the server's collections. Secondly, "Digest authentication" is itself may not be specific enough; do you want to specify a minimum algorithm & qop value? We've been having some difficulties finding interoperable authentication mechanisms for non-browser-based WebDAV use. There's no law that says "you must implement WebdAV", so people can always implement whatever they want, and do! The question is whether compliance guarantees interoperability. Right now, it doesn't seem like it does, and the spec might need to change. Larry -- http://www.parc.xerox.com/masinter
Received on Wednesday, 3 November 1999 00:22:19 UTC