- From: Matt Timmermans <mtimmerm@opentext.com>
- Date: Fri, 2 Nov 2001 11:38:08 -0500
- To: "'Jim Whitehead'" <ejw@cse.ucsc.edu>, <w3c-dist-auth@w3.org>
I like it. > -----Original Message----- > From: w3c-dist-auth-request@w3.org > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Jim Whitehead > Sent: Thursday, November 01, 2001 8:53 PM > To: w3c-dist-auth@w3.org > Subject: Resolving Digest authentication issue > > > > Jason Crawford pointed out to me that we never resolved the Digest > authentication issue, so let me take a stab at it. If you > quibble with the > wording below, don't just say you don't like it -- suggest > some alternate > wording. > > Dylan Barrel [1] and Alan Kent [2] describe the issues with supporting > Digest authentication on the server, and their contention > that support for > Digest is unacceptable: > > [1] > http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0062.html > [2] > http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0087.html > > I clarified the meaning of "supports Digest authentication" in [3]: > > [3] > http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0073.html > > I think Matt Timmerman's post [4] has the start of a solution: > > [4] > http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0080.html > > Thus, I propose the following authentication requirements: > > * Basic MUST NOT be used unless the connection is secure. > Secure is defined > to be TLS over the Internet, a physically secure network, or a network > behind a well-administered firewall. > > Client requirements: MUST support Basic, SSL/TLS support is STRONGLY > RECOMMENDED > Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY > RECOMMENDED > > * Digest SHOULD be used when the connection is insecure, such > as a non-TLS > connection over the Internet. > > Client requirements: MUST support Digest > Server requirements: SHOULD support Digest, but it is > acceptable for Digest > authentication to be disabled by default. It SHOULD be possible for an > administrator to configure a server to use Digest. > > * Additional authentication schemes beyond Basic and Digest MAY be > supported, whether or not described in an IETF specification. > Implementors > should be aware that use of other authentication schemes > guarantees some > level of non-interoperation of that authentication scheme, > since all WebDAV > clients and servers cannot be expected to support that authentication > scheme. > > So, for example, it's OK for people to support NTLM. > > * Finally, to guarantee some level of authentication will be > possible: a > server MUST at minimum support either Basic OR Digest. A server SHOULD > support Basic AND Digest. > > Note that the terms MUST and SHOULD are being used as defined > in RFC 2119: > > 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the > definition is an absolute requirement of the specification. > > 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there > may exist valid reasons in particular circumstances to ignore a > particular item, but the full implications must be understood and > carefully weighed before choosing a different course. > > For example, I would say that Dylan and Matt have carefully > weighed the > implications of Digest support, and so if they decided not to > support Digest > under the language above, this would meet the letter and the > spirit of the > proposed language. > > Comments? > > - Jim
Received on Friday, 2 November 2001 11:39:14 UTC