xml-dev - Re: [xml-dev] Non-Borg servers can authenticate Borg clients (Was Re: [

Re: [xml-dev] Non-Borg servers can authenticate Borg clients (Was Re: [

[ Lists Home | Date Index | Thread Index ]

To: Robert Koberg <rob@koberg.com>
Subject: Re: [xml-dev] Non-Borg servers can authenticate Borg clients (Was Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation)
From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
Date: Sat, 10 Jan 2004 07:49:52 -0500
Cc: "Simon St.Laurent" <simonstl@simonstl.com>,"'xml-dev@lists.xml.org '" <xml-dev@lists.xml.org>
In-reply-to: <3FFF7F65.8000007@koberg.com>
References: <r02000200-1028-A025F6F2432211D8B1470003937A08C2@[192.168.124.11]><3FFF7F65.8000007@koberg.com>

At 8:28 PM -0800 1/9/04, Robert Koberg wrote:

>the point was that he clearly stated the correct *way* without 
>having used it or seen it used. I have no problem adapting/adopting 
>a better way. I have been doing it most of my life (I started 
>/programming/ with MACR Authorware developing educational CDROMs)
>

No. I initially stated that HTTP authentication was superior to 
cookie based authentication for architectural reasons. I've used HTTP 
authentication quite a bit over the years, since before digest 
authentication was invented, and I can state from experience that it 
is easier to configure, cheaper to implement, and architecturally 
sounder than cookies.

However, Rich Salz pointed out that basic authentication was insecure 
because it sent the password in the clear. I thought that was a very 
strange thing to to do so I went looking in the specs and discovered 
digest authentication which seemed to solve the problem neatly. Salz 
pointed out some security issues with digest authentication. I 
pointed out some security issues with cookie based authentication. 
Then Salz claimed digest authentication didn't actually work and John 
Cowan claimed it wasn't interoperable between Borg and non-Borg 
systems, but most of their sources seemed to be at least four years 
old and based on outdated software, so I decided to run my own tests; 
and as I expected it seems like the status quo is better today than 
it was four years ago, though it is imperfect.

In the future when I need authentication I'll make a choice between 
basic authentication, digest authentication, and/or SSL depending on 
the security needs of the realm and the necessity of supporting older 
browsers. We're all looking for the better way; and it appears we may 
have more choice than many, perhaps any, of us realized. When one is 
looking for the better way, sometimes you have to prepared to revisit 
and challenge old assumptions and knowledge, especially in as rapidly 
changing a field as technology. What he learned four years ago may 
very well not be true today. What we learn today may not be true four 
years from now.
-- 

   Elliotte Rusty Harold
   elharo@metalab.unc.edu
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA

Follow-Ups:
- Re: [xml-dev] Non-Borg servers can authenticate Borg clients (Was Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation)
  - From: Rich Salz <rsalz@datapower.com>

References:
- Re: [xml-dev] Non-Borg servers can authenticate Borg clients (Was Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation)
  - From: "Simon St.Laurent" <simonstl@simonstl.com>
- Re: [xml-dev] Non-Borg servers can authenticate Borg clients (Was Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation)
  - From: Robert Koberg <rob@koberg.com>