OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

> > password over the wire. It's worse because 
> Arrgh!

See what happened -- I stopped typing to let my brain catch up, and it 
never did.... :)

Digest is worse because it never spec'd anything other than MD5, although 
it allowed "space" in the protocol for it.  (SHA was published a 
half-dozen years before.)  Unless the browser serializes requests (i.e., 
one image at a time), full integrity protection with digest usually [not 
always, see the last part of section 3.2.3 of RFC 2617 and sec 4.5 on 
replay] doubles the number of HTTP messages.  At that point, you might as 
well give up and use SSL/TLS, and once you've done that, the temptation to 
use basic-auth (but mom, everybody else does) is too generally too great 
to resist.


STSM, WebSphere Appliance Architect

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS