- From: Jim Whitehead <ejw@cse.ucsc.edu>
- Date: Thu, 1 Nov 2001 17:52:37 -0800
- To: <w3c-dist-auth@w3.org>
Jason Crawford pointed out to me that we never resolved the Digest authentication issue, so let me take a stab at it. If you quibble with the wording below, don't just say you don't like it -- suggest some alternate wording. Dylan Barrel [1] and Alan Kent [2] describe the issues with supporting Digest authentication on the server, and their contention that support for Digest is unacceptable: [1] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0062.html [2] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0087.html I clarified the meaning of "supports Digest authentication" in [3]: [3] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0073.html I think Matt Timmerman's post [4] has the start of a solution: [4] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0080.html Thus, I propose the following authentication requirements: * Basic MUST NOT be used unless the connection is secure. Secure is defined to be TLS over the Internet, a physically secure network, or a network behind a well-administered firewall. Client requirements: MUST support Basic, SSL/TLS support is STRONGLY RECOMMENDED Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY RECOMMENDED * Digest SHOULD be used when the connection is insecure, such as a non-TLS connection over the Internet. Client requirements: MUST support Digest Server requirements: SHOULD support Digest, but it is acceptable for Digest authentication to be disabled by default. It SHOULD be possible for an administrator to configure a server to use Digest. * Additional authentication schemes beyond Basic and Digest MAY be supported, whether or not described in an IETF specification. Implementors should be aware that use of other authentication schemes guarantees some level of non-interoperation of that authentication scheme, since all WebDAV clients and servers cannot be expected to support that authentication scheme. So, for example, it's OK for people to support NTLM. * Finally, to guarantee some level of authentication will be possible: a server MUST at minimum support either Basic OR Digest. A server SHOULD support Basic AND Digest. Note that the terms MUST and SHOULD are being used as defined in RFC 2119: 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification. 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. For example, I would say that Dylan and Matt have carefully weighed the implications of Digest support, and so if they decided not to support Digest under the language above, this would meet the letter and the spirit of the proposed language. Comments? - Jim
Received on Thursday, 1 November 2001 20:56:39 UTC