- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Fri, 2 Nov 2001 11:24:08 +0100
- To: "Jim Whitehead" <ejw@cse.ucsc.edu>, <w3c-dist-auth@w3.org>
Fine with me. //Stefan > -----Original Message----- > From: w3c-dist-auth-request@w3.org > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Jim Whitehead > Sent: Friday, November 02, 2001 2:53 AM > To: w3c-dist-auth@w3.org > Subject: Resolving Digest authentication issue > > > > Jason Crawford pointed out to me that we never resolved the Digest > authentication issue, so let me take a stab at it. If you quibble with the > wording below, don't just say you don't like it -- suggest some alternate > wording. > > Dylan Barrel [1] and Alan Kent [2] describe the issues with supporting > Digest authentication on the server, and their contention that support for > Digest is unacceptable: > > [1] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0062.html > [2] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0087.html > > I clarified the meaning of "supports Digest authentication" in [3]: > > [3] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0073.html > > I think Matt Timmerman's post [4] has the start of a solution: > > [4] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0080.html > > Thus, I propose the following authentication requirements: > > * Basic MUST NOT be used unless the connection is secure. Secure > is defined > to be TLS over the Internet, a physically secure network, or a network > behind a well-administered firewall. > > Client requirements: MUST support Basic, SSL/TLS support is STRONGLY > RECOMMENDED > Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY > RECOMMENDED > > * Digest SHOULD be used when the connection is insecure, such as a non-TLS > connection over the Internet. > > Client requirements: MUST support Digest > Server requirements: SHOULD support Digest, but it is acceptable > for Digest > authentication to be disabled by default. It SHOULD be possible for an > administrator to configure a server to use Digest. > > * Additional authentication schemes beyond Basic and Digest MAY be > supported, whether or not described in an IETF specification. Implementors > should be aware that use of other authentication schemes guarantees some > level of non-interoperation of that authentication scheme, since > all WebDAV > clients and servers cannot be expected to support that authentication > scheme. > > So, for example, it's OK for people to support NTLM. > > * Finally, to guarantee some level of authentication will be possible: a > server MUST at minimum support either Basic OR Digest. A server SHOULD > support Basic AND Digest. > > Note that the terms MUST and SHOULD are being used as defined in RFC 2119: > > 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the > definition is an absolute requirement of the specification. > > 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there > may exist valid reasons in particular circumstances to ignore a > particular item, but the full implications must be understood and > carefully weighed before choosing a different course. > > For example, I would say that Dylan and Matt have carefully weighed the > implications of Digest support, and so if they decided not to > support Digest > under the language above, this would meet the letter and the spirit of the > proposed language. > > Comments? > > - Jim > > >
Received on Friday, 2 November 2001 05:23:15 UTC