OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
RE: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

Were back to the problem that SSL doesn't solve the problem (today)  it was
originally intended to solve.   But it happens to solve *this* problem (as
long as you ignore the fact that both ends may be insecure - in which case
all bets are off).

But yes the crux is that Authentication in pure HTTP is either insecure or
That's just the way it is (as far as I know).

This is why a particular annoyance of mine is the false-sense-of-security of
CA signed certificates.
If browsers didn't put up an ugly warning about how scary a self-signed
certificate was then more people would use SSL and the internet would be
more secure.
But if you use plain HTTP you don't get a warning - just insecurity.
Why is it like this ? My only guess ... "Follow the money ..." ?


David A. Lee

-----Original Message-----
From: Petite Abeille [mailto:petite.abeille@gmail.com] 
Sent: Monday, January 30, 2012 9:18 AM
To: xml-dev
Subject: Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

On Jan 30, 2012, at 2:52 PM, Pete Cordell wrote:

> A quick question before I do though, does Digest require the server to
have access to the password in clear text form, whereas Basic allows the
server to store the password in some hashed form?

That's the crux of it: digest is not worth the complications IMO.

If you care about the integrity of the transport channel, use TLS.

If you use TLS, basic is all what you need.


XML-DEV is a publicly archived, unmoderated list hosted by OASIS
to support XML implementation and development. To minimize
spam in the archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
subscribe: xml-dev-subscribe@lists.xml.org
List archive: http://lists.xml.org/archives/xml-dev/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS