Re: Regarding Authentication

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jim Gettys: "new editorial issue RANGE_WITH_CONTENTCODING"
• Previous message: Scott Lawrence: "Re: Regarding Authentication"
• In reply to: Scott Lawrence: "Re: Regarding Authentication"
• Next in thread: Ross Patterson: "Re: Regarding Authentication"

According to Scott Lawrence,
> 
>   I don't think that there is any interoperability reason why you
>   should not send unsolicited credentials (that is, I don't think that
>   it breaks the protocol itself to do so), but it makes no sense from
>   a security point of view:
> 
>   - With Basic all you're doing is publishing your password to someone
>     who may not need it or have any reason to get it (which is what
>     you're doing every time you use Basic anyway...)
> 
>   - With Digest you can't generate valid credentials without the nonce
>     from the challenge anyway.
> 
I agree that you dont generally send unsolicited credentials, but
the context isnt necessarily clear.  If you are challenged for credentials
initially, but a long while later (potentially hours) in the same
browser session, you might send those same credentials again
in a later transaction.  One could argue that this
would be unsolicited, since its possible for those
credentials to be invalid at the later time.

-- 
---
Josh Cohen
josh@early.com

• Next message: Jim Gettys: "new editorial issue RANGE_WITH_CONTENTCODING"
• Previous message: Scott Lawrence: "Re: Regarding Authentication"
• In reply to: Scott Lawrence: "Re: Regarding Authentication"
• Next in thread: Ross Patterson: "Re: Regarding Authentication"