Tim Bray wrote:
On Feb 23, 2006, at 11:19 AM, James M Snell wrote:
Alternative approach to PaceBasicAuthentication and PaceAuthentication.
http://www.intertwingly.net/wiki/pie/PaceFixSecurityConsiderations
So I generally think that we win by saying the least possible that we can
get away with. -Tim
Ok, I've changed my mind. This makes sense to me.
James M Snell wrote:
with a constraint that if Basic Auth is used, TLS SHOULD also be used.
I'm not even sure this is necessary. RFC2617 already covers the problem of
cleartext passwords in Basic:
Because Basic authentication involves the cleartext transmission of
passwords it SHOULD NOT be used (without enhancements) to protect
sensitive or valuable information.
Regards
James
