Re: Resolving Digest authentication issue

On Thu, Nov 01, 2001 at 05:52:37PM -0800, Jim Whitehead wrote:
> * Basic MUST NOT be used unless the connection is secure. Secure is defined
> to be TLS over the Internet, a physically secure network, or a network
> behind a well-administered firewall.
> 
> Client requirements: MUST support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
> Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
> 
> * Digest SHOULD be used when the connection is insecure, such as a non-TLS
> connection over the Internet.
> 
> Client requirements: MUST support Digest
> Server requirements: SHOULD support Digest, but it is acceptable for Digest
> authentication to be disabled by default. It SHOULD be possible for an
> administrator to configure a server to use Digest.
> 
> * Additional authentication schemes beyond Basic and Digest MAY be
> supported, whether or not described in an IETF specification. Implementors
> should be aware that use of other authentication schemes guarantees some
> level of non-interoperation of that authentication scheme, since all WebDAV
> clients and servers cannot be expected to support that authentication
> scheme.
> 
> * Finally, to guarantee some level of authentication will be possible: a
> server MUST at minimum support either Basic OR Digest. A server SHOULD
> support Basic AND Digest.
...
> Comments?
> 
> - Jim

Sounds good to me.
Alan

Received on Thursday, 1 November 2001 21:53:46 UTC