Lists Home |
Date Index |
- To: Rich Salz <firstname.lastname@example.org>
- Subject: Re: [xml-dev] Expertise and Innovation - was Re: [xml-dev] Non-Borgservers can authenticate Borg clients (Was Re: [xml-dev] Re: Cookies atXML Europe 2004 -- Call for Participation)
- From: Alaric B Snell <email@example.com>
- Date: Wed, 04 Feb 2004 14:08:41 +0000
- Cc: "Simon St.Laurent" <firstname.lastname@example.org>,"'email@example.com '" <firstname.lastname@example.org>
- In-reply-to: <Pine.LNX.4.44L0.email@example.com>
- References: <Pine.LNX.4.44L0.firstname.lastname@example.org>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030704 Debian/1.4-1
Rich Salz wrote:
>>It's tough when Elliotte's that completely right, but it happens pretty
>>regularly. Usually when I'm on the other side, unfortunately.
> Hey, let's not get carried away.
> Just because digest-auth is more interoperable than we all expected,
> doesn't mean it's the right thing to do. I still strongly stand by my
> arguments against it and in favor of those old-fogey security mechanisms.
And it's still the case that both users and programmers have less
control over HTTP auth; browsers still don't give you "logout" buttons
that uncache the username and password you've entered, the credentials
have to be submitted with every request rather than just once (widening
the window of vulnerability to snooping), the server cannot enforce that
sessions expire after a certain period of inactivity (and sometimes they
will *need* to mandate that to meet the requirements of banking
applications and so on, regardless of user browser choices and
settings), and so on.