- From: Larry Masinter <LMM@acm.org>
- Date: Thu, 25 Oct 2001 19:37:56 -0700
- To: "Jason Crawford" <ccjason@us.ibm.com>
- Cc: <w3c-dist-auth@w3.org>
Jason Crawford asked: > Are you expressing a preference for any particular approach with your > posting below? I'm trying to give some guidance about the basic rules of standards making in the IETF: a) the standard should assure interoperability b) the standard should require implementation of security adequate for its stated purpose c) standards should avoid requiring implementation of patented technologies For WebDAV, the stated purpose is "web distributed authoring". Other uses, like for software configuration management or accessing exchange mailboxes, are fine, but they're not the stated purpose. Saying "authentication must be used" doesn't assure interoperability, because the clients might not implement the authentication mechanism that the server requires. Requiring that "the authentication method used must not have passwords in the clear" doesn't help. I think what RFC 2518 says is that WebDAV clients must USE digest authentication for authentication. (a) means that if you have a compliant client and a compliant server, they should work together. Letting servers implement basic with SSL only without requiring clients to implement basic with SSL means you wouldn't have interoperability. Requiring clients to implement SSL means (I think) that you're requiring them to implement patented technology. Not requiring any security means that you break (b). > If not, what would you suggest that the spec say? (Feel free > to post to the list and guide the resolution of this.) I think RFC 2518's "MUST support digest" meets the criteria above, especially if you interpret "support" to mean "actually use as an access authentication method". I suggest that the spec stay as it is in RFC 2518 unless you can come up with something that everyone agrees (1) it's better, and (2) it also meets the criteria. > Also, do you know if the powers that be would accept us either saying > nothing beyond the fact that authentication should be used? No, because of (a); it doesn't guarantee interoperability > If not, would > they accept it if we additionally specify that the authentication schemes > used avoid sending privledged info in the clear? It still doesn't guarantee interoperability.
Received on Thursday, 25 October 2001 22:39:33 UTC