- From: Matt Timmermans <mtimmerm@opentext.com>
- Date: Thu, 25 Oct 2001 12:31:16 -0400
- To: "'Larry Masinter - LMM@acm.org'" <lmnet@attglobal.net>, "'Jösh'" <josh@bluescreen.org>, "'Jim Whitehead'" <ejw@cse.ucsc.edu>, <w3c-dist-auth@w3.org>
> -----Original Message----- > From: Larry Masinter > [...] > The standards group must choose a baseline that is both > "secure enough" and "interoperable enough". So far, the group > chose "must support Digest". If you change it to "must support > Digest OR basic+SSL" on the server side, then you're mandating > "must support Digest AND basic+SSL" on the client side. > > This is nice for server implementors but maybe not as nice for > client implementors. You wouldn't want to tell clients that they have to respond to any particular scheme, because a client might be used in a more restrictive environment. It is no trouble at all, however, to require _clients_ to support (really support!) Digest if they support Basic, because there are no _client-side_ security parameters that Basic meets, but Digest doesn't.
Received on Thursday, 25 October 2001 12:32:43 UTC