-1 (See inline) On 2/22/06, James M Snell <[EMAIL PROTECTED]> wrote: > > http://www.intertwingly.net/wiki/pie/PaceBasicAuthentication ... > All instances of publishing Atom Format entries SHOULD be protected > by authentication to prevent posting or editing by unknown sources. > Atom Protocol servers and clients MUST support one of the following > authentication mechanisms, and SHOULD support both.
You would be hard pressed to find a *single* web service today that supports both Basic and Digest at the same time. I know the spec says that it's possible, the reality is that it just isn't done. Mandating any specific auth implementation doesn't add to interop and will only add to the burden of people trying to build 'conformant' implementations. Now I realize it sounds like I am contracting myself here as I have said that we need to add constraints to improve interop, but in this case HTTP already has an automatic authentication negotiation mechanism built into it. We aren't improving the situation by selecting a subset of the currently weak field of http auth options and making them mandatory. -joe > > o HTTP Basic Authentication [RFC2617] > > o HTTP Digest Authentication [RFC2617] > > o CGI Authentication > > Atom Protocol servers and clients using HTTP Basic Authentication SHOULD > support encryption of the session using TLS (see [RFC2246]). Servers and > clients using other autentication methods MAY support encryption of the > session using TLS. > > There are cases where an authentication mechanism might not be > required, such as a publicly editable Wiki, or when using POST to > send comments to a site that does not require authentication from a > commenter. > }}} > > == Impacts == > > > > == Notes == > > > ---- > > CategoryProposals > > -- Joe Gregorio http://bitworking.org
