Digest authentication

(the post copied below reminded me to say something)

The Mac OS X 10.2 WebDAV file system client posts a warning for Basic 
authentication over connections which are not secure.

Because RFC2518 section 1.71 says, "Since Basic authentication for 
HTTP/1.1 performs essentially clear text transmission of a password, 
Basic authentication MUST NOT be used to authenticate a WebDAV client 
to a server unless the connection is secure", we thought about 
disabling Basic authentication until our client supports secure 
connections. However, we found many servers allow access over insecure 
connections, require authentication, but support only Basic and not 
Digest. Instead of cutting off access to those servers (which do not 
comply with RFC2518), we decided to allow Basic to be used but only 
after the user clicks through a warning dialog which reads, "You have 
been challenged by a WebDAV server which is not secure. If you continue 
and supply your username and password, they can be read while in 
transit."

Once secure connection support is added to our client, we may revisit 
this issue and only allow Basic authentication when the connection is 
secure.

I should have brought this issue up during the Interop event in Santa 
Cruz, because many of the servers I tested against there did not 
support Digest authentication. Since Digest support is a MUST in 
RFC2518, it would be nice if our client could depend on it and not have 
to bother users with a warning.

- Jim

On Tuesday, September 17, 2002, at 05:47 PM, Eric Sedlar wrote:

>
> As long as you don't mind a client saying something to the effect of:
>
> "This server does not support the minimal level of functionality that
> <product> requires of a WebDAV server (ETags).  We strongly discourage 
> you
> from using this server, as you may lose work."
>
> when it points at your server, then go ahead and don't support ETags.
>
> --Eric
>
> ----- Original Message -----
> From: "Clemm, Geoff" <gclemm@rational.com>
> To: "Webdav WG" <w3c-dist-auth@w3c.org>
> Sent: Tuesday, September 17, 2002 6:50 AM
> Subject: RE: ETags, was: Issues from Interop/Interim WG Meeting
>
>
>>
>> I agree.
>>
>> -----Original Message-----
>> From: Julian Reschke [mailto:julian.reschke@gmx.de]
>> Sent: Tuesday, September 17, 2002 4:58 AM
>> To: Lisa Dusseault; Webdav WG
>> Subject: ETags, was: Issues from Interop/Interim WG Meeting
>>
>>
>>
>>> From: w3c-dist-auth-request@w3.org
>>> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Lisa Dusseault
>>> Sent: Sunday, September 15, 2002 8:14 PM
>>> To: Webdav WG
>>> Subject: Issues from Interop/Interim WG Meeting
>>>
>>> ...
>>> -  Be clear in spec that servers MUST do ETags. Explain how necessary
>>> this is to solve the lost update problem.
>>> ..
>>
>> ETags are a good thing, correct. However, HTTP (RFC2616) doesn't 
>> require
>> them, RFC2518 doesn't require them, and they '*aren't* required for
>> interoperability. So there's no way to require them in RFC2518bis -- 
>> it
>> would break all servers that don't have them.
>>
>> Julian
>>
>> --
>> <green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
>>
>>
>

Received on Tuesday, 17 September 2002 21:17:53 UTC