On 7/17/06, Eric Rescorla <[EMAIL PROTECTED]> wrote:
If by "existing auth database" you mean the basic or form database, this is generally correct--though one could in fact implement an auth database that would work for both.
Right. But some of our server implementers couldn't implement it if they wanted to.
> Digest's more extensive protection options are basically > unimplemented. By "more extensive protection options" do you mean the auth-int mode?
Yes, but I believe some clients even screw up auth mode, and only work with 2069-style. Container-managed security in Java Servlet implementations often doesn't work with Digest, at least with the vendor-provided authentication classes.
I'm not familiar with what HTTP implementations do, but I'll note that SIP implementations will do auth-int.
Mozilla doesn't do it. Apache (mod_auth_digest) doesn't do it. Opera does. I don't know what MS libraries do these days.
Feel free to take this point up with the IESG. I doubt you'll find them very sympathetic, however.
Well, I'd like the document to reflect reality, but I suspect that will be no match for the IESG rules in combination with some WG members that want Basic+TLS enshrined in the document because that is what they are going to deploy. -- Robert Sayre