- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Tue, 23 Oct 2001 20:30:16 +0200
- To: "Jim Whitehead" <ejw@cse.ucsc.edu>, <mtimmerm@opentext.com>, "'WebDAV'" <w3c-dist-auth@w3.org>
Now, are we having fun here or what? I just scanned RFC 2617 for any MUST wording on digest authentication and could not find any. The thing I found is in Ch. 4.1, 3rd paragraph: "Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used (without enhancements) to protect sensible or valuable information." I think this is the way it should be stated for WebDAV as well, if it must be stated at all. //Stefan > -----Original Message----- > From: w3c-dist-auth-request@w3.org > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Jim Whitehead > Sent: Tuesday, October 23, 2001 8:04 PM > To: mtimmerm@opentext.com; 'WebDAV' > Subject: RE: Digest Authentication > > > > You're saying that if I run my server in an environment that > doesn't allow > > me to present Digest in the WWW-Authenticate headers, then that's OK, as > > long as there's a checkbox for Digest somewhere and I've unchecked it? > > Just thought of another example. The Apache server "supports" Digest > authentication, even though the process of enabling it involves > installing a > new module (mod_auth_digest). In the case of Apache, it is possible to > create a server that does not have any Digest authentication code in the > running server executable. > > Thus, Apache is an existence proof of "supporting" Digest, while not > compromising security in environments where characteristics of the Digest > implementation are unacceptable. > > - Jim > > >
Received on Tuesday, 23 October 2001 14:29:59 UTC