W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Phillip Hallam-Baker <hallam@ai.mit.edu>
Date: Mon, 22 Oct 2001 20:28:56 -0400
To: "'Dylan Barrell'" <dbarrell@opentext.com>, "'WebDAV'" <w3c-dist-auth@w3.org>, "'Lisa Dusseault'" <lisa@xythos.com>
Message-ID: <006c01c15b59$b43873a0$4100a8c0@ne.mediaone.net>
The policy makes very good sense. Sending passwords in the clear 
is one of the major causes of compromised passwords. If  password
is compromised it is likely that the effect will compromise applications
beyond just WebDav because many users share passwords across applications.

The excuses given for not supporting digest were unconvincing. You
have an application that is not HTTP 1.1 compliant, so fix the thing.

WebDav is not going to proceed to standards status in any standards
group I have influence in if BASIC is the only mandatory to implement
authentication scheme.

In the IETF it will be subject to Jeff Schiller's veto on the IESG. 

In the W3C I will point the director to the IESG policy and the reason
for which it was made. I don't think that you are going to persuade
the W3C director to second guess the IETF on the issue.


> -----Original Message-----
> From: Dylan Barrell [mailto:dbarrell@opentext.com]
> Sent: Monday, October 22, 2001 9:28 AM
> To: Phillip Hallam-Baker; 'WebDAV'; 'Lisa Dusseault'
> Subject: RE: Digest Authentication
> So we have to stick to policy even when there are 
> indisputable reasons why
> it doesn't make sense?
> This doesn't seem like a very sensible thing to do.
> --Dylan
Received on Monday, 22 October 2001 20:31:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:24 UTC