I agree. HTTPS+Basic is better than Digest Authentication, which is fatally flawed.
Section 4.11 of RFC2617 addresses this issue, but not in plain terms, so many have overlooked it. RFC2617 section 4.13 says "First the password file must be protected as if it contained unencrypted passwords, because for the purpose of accessing documents in its realm, it effectively does." Here's what that means: -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James M Snell Sent: Tuesday, February 14, 2006 11:59 AM To: atom-protocol Subject: HTTP authentication Our implementation of APP currently uses HTTP Basic authentication over an SSL connection. The spec calls for "HTTP Digest Authentication and/or CGI Authentication" and includes a comment "[rfc.comment.4: expand on HTTP basic and digest authentication, or refer.]" With our implementation(s), we would like to be able to use as broad a spectrum of authentication mechanisms as possible -- without being limited to just one or two mechanisms. The choice should be up to the application. So what's the story here? We obviously need to complete this section. I'm not a security expert and typically just end up sounding silly when I try to write up anything remotely related to security so it would be great if someone could write up a pace that fills in the security section. - James
