On Mon, May 10, 2010 at 10:43 PM, Eran Hammer-Lahav <[email protected]> wrote: > > What? > > Basic auth seems to be working just fine for the entire web...
I hadn't heard of implementations hitting a limitation on header size, but Basic and Digest are both broken. Basic leaves the input character encoding unspecified, so it doesn't handle anything but ASCII in an interoperable way. OAuth implementations will certainly screw this up too, but I suspect it will be somewhat less buggy, since most people will probably just guess it's supposed to be UTF-8. The way Digest hashes credentials is incompatible with pretty much every authentication database, so it never gets used, and it isn't very secure anyway. What /would/ be nice is an HTTP authentication scheme that used some sort of PAKE... but don't gate the OAuth spec on that. -- Robert Sayre "I would have written a shorter letter, but I did not have the time." _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
