James Holderness wrote on 2/23/2006, 12:13 PM:
>
> Tim Bray wrote:
> >
> > On Feb 23, 2006, at 11:19 AM, James M Snell wrote:
> >
> >> Alternative approach to PaceBasicAuthentication and
> PaceAuthentication.
> >>
> >> http://www.intertwingly.net/wiki/pie/PaceFixSecurityConsiderations
> >
> > So I generally think that we win by saying the least possible that
> we can
> > get away with. -Tim
>
> Ok, I've changed my mind. This makes sense to me.
>
> James M Snell wrote:
> >> with a constraint that if Basic Auth is used, TLS SHOULD also be used.
>
> I'm not even sure this is necessary. RFC2617 already covers the
> problem of
> cleartext passwords in Basic:
>
> Because Basic authentication involves the cleartext transmission of
> passwords it SHOULD NOT be used (without enhancements) to protect
> sensitive or valuable information.
>
OK, I'm an implementor. Let's say I actually read this. How do I guess
that this means I should support Basic + TLS?
--
John Panzer
Sr. Technical Manager
http://journals.aol.com/panzerjohn/abstractioneer
