John Panzer wrote:
> Because Basic authentication involves the cleartext transmission of
> passwords it SHOULD NOT be used (without enhancements) to protect
> sensitive or valuable information.
OK, I'm an implementor. Let's say I actually read this. How do I guess
that this means I should support Basic + TLS?
You don't, because that's not what it means. All it says is that if you want
to use Basic, you SHOULD be using some enhancement on top of it. One such
enhancement is TLS. There may be other ways of securing Basic auth - I don't
know. I certainly wouldn't want to try and predict what security protocols
may be developed in the future. If the authors of RFC2617 didn't feel the
need to go into the specifics, why should we?
Regards
James
