RE: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

From: "David Lee" <dlee@calldei.com>
To: "'Petite Abeille'" <petite.abeille@gmail.com>, "'xml-dev'" <xml-dev@lists.xml.org>
Date: Mon, 30 Jan 2012 09:44:27 -0500

Were back to the problem that SSL doesn't solve the problem (today)  it was
originally intended to solve.   But it happens to solve *this* problem (as
long as you ignore the fact that both ends may be insecure - in which case
all bets are off).

But yes the crux is that Authentication in pure HTTP is either insecure or
hard.
That's just the way it is (as far as I know).

<rant>
This is why a particular annoyance of mine is the false-sense-of-security of
CA signed certificates.
If browsers didn't put up an ugly warning about how scary a self-signed
certificate was then more people would use SSL and the internet would be
more secure.
But if you use plain HTTP you don't get a warning - just insecurity.
Why is it like this ? My only guess ... "Follow the money ..." ?

</rant>

----------------------------------------
David A. Lee
dlee@calldei.com
http://www.xmlsh.org


-----Original Message-----
From: Petite Abeille [mailto:petite.abeille@gmail.com] 
Sent: Monday, January 30, 2012 9:18 AM
To: xml-dev
Subject: Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication



On Jan 30, 2012, at 2:52 PM, Pete Cordell wrote:

> A quick question before I do though, does Digest require the server to
have access to the password in clear text form, whereas Basic allows the
server to store the password in some hashed form?

That's the crux of it: digest is not worth the complications IMO.

If you care about the integrity of the transport channel, use TLS.

If you use TLS, basic is all what you need.


_______________________________________________________________________

XML-DEV is a publicly archived, unmoderated list hosted by OASIS
to support XML implementation and development. To minimize
spam in the archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
subscribe: xml-dev-subscribe@lists.xml.org
List archive: http://lists.xml.org/archives/xml-dev/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

References:
- RE: Encoding charset of HTTP Basic Authentication
  - From: "David Lee" <dlee@calldei.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: "Pete Cordell" <petexmldev@codalogic.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: Petite Abeille <petite.abeille@gmail.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: "Pete Cordell" <petexmldev@codalogic.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: "Pete Cordell" <petexmldev@codalogic.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: Michael Sokolov <sokolov@ifactory.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: "Pete Cordell" <petexmldev@codalogic.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: Greg Hunt <greg@firmansyah.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: "Pete Cordell" <petexmldev@codalogic.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: Petite Abeille <petite.abeille@gmail.com>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]