RE: Resolving Digest authentication issue

I like it.

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Jim Whitehead
> Sent: Thursday, November 01, 2001 8:53 PM
> To: w3c-dist-auth@w3.org
> Subject: Resolving Digest authentication issue
> 
> 
> 
> Jason Crawford pointed out to me that we never resolved the Digest
> authentication issue, so let me take a stab at it. If you 
> quibble with the
> wording below, don't just say you don't like it -- suggest 
> some alternate
> wording.
> 
> Dylan Barrel [1] and Alan Kent [2] describe the issues with supporting
> Digest authentication on the server, and their contention 
> that support for
> Digest is unacceptable:
> 
> [1] 
> http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0062.html
> [2] 
> http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0087.html
> 
> I clarified the meaning of "supports Digest authentication" in [3]:
> 
> [3] 
> http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0073.html
> 
> I think Matt Timmerman's post [4] has the start of a solution:
> 
> [4] 
> http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0080.html
> 
> Thus, I propose the following authentication requirements:
> 
> * Basic MUST NOT be used unless the connection is secure. 
> Secure is defined
> to be TLS over the Internet, a physically secure network, or a network
> behind a well-administered firewall.
> 
> Client requirements: MUST support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
> Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
> 
> * Digest SHOULD be used when the connection is insecure, such 
> as a non-TLS
> connection over the Internet.
> 
> Client requirements: MUST support Digest
> Server requirements: SHOULD support Digest, but it is 
> acceptable for Digest
> authentication to be disabled by default. It SHOULD be possible for an
> administrator to configure a server to use Digest.
> 
> * Additional authentication schemes beyond Basic and Digest MAY be
> supported, whether or not described in an IETF specification. 
> Implementors
> should be aware that use of other authentication schemes 
> guarantees some
> level of non-interoperation of that authentication scheme, 
> since all WebDAV
> clients and servers cannot be expected to support that authentication
> scheme.
> 
> So, for example, it's OK for people to support NTLM.
> 
> * Finally, to guarantee some level of authentication will be 
> possible: a
> server MUST at minimum support either Basic OR Digest. A server SHOULD
> support Basic AND Digest.
> 
> Note that the terms MUST and SHOULD are being used as defined 
> in RFC 2119:
> 
> 1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that the
>    definition is an absolute requirement of the specification.
> 
> 3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
>    may exist valid reasons in particular circumstances to ignore a
>    particular item, but the full implications must be understood and
>    carefully weighed before choosing a different course.
> 
> For example, I would say that Dylan and Matt have carefully 
> weighed the
> implications of Digest support, and so if they decided not to 
> support Digest
> under the language above, this would meet the letter and the 
> spirit of the
> proposed language.
> 
> Comments?
> 
> - Jim

Received on Friday, 2 November 2001 11:39:14 UTC