Re: PaceBasicAuthentication

[John Panzer]

Joe Gregorio wrote: -1 (See inline) On 2/22/06, James M Snell <[EMAIL PROTECTED]> wrote: http://www.intertwingly.net/wiki/pie/PaceBasicAuthentication ... All instances of publishing Atom Format entries SHOULD be protected by authentication to prevent posting or editing by unknown sources. Atom Protocol servers and clients MUST support one of the following authentication mechanisms, and SHOULD support both. You would be hard pressed to find a *single* web service today that supports both Basic and Digest at the same time. I know the spec says that it's possible, the reality is that it just isn't done. Mandating any specific auth implementation doesn't add to interop and will only add to the burden of people trying to build 'conformant' implementations. Now I realize it sounds like I am contracting myself here as I have said that we need to add constraints to improve interop, but in this case HTTP already has an automatic authentication negotiation mechanism built into it. We aren't improving the situation by selecting a subset of the currently weak field of http auth options and making them mandatory. Actually, I don't think this is true.  Both Blogger and AOL (us) have apparently arrived at the same conclusion independently:  From a server perspective, HTTP Basic over TLS is minimally acceptable security for doing authoring operations on web logs and isn't a burden for clients.  Non-TLS using Basic or Digest is a nonstarter and will be rejected.  (I'm speaking for what AOL is going to do here, not for Blogger, but I _think_ that's what Blogger is doing too from observation.) So, given this situation, I think it's minimally worth mentioning in the spec that clients SHOULD support HTTP Basic over TLS.  Given client support, and a statement in the spec, servers will also support this if they can do so at all (some can't).  How is this adding to the burden? If there is no statement in the spec, some people are going to write clients that support only Basic but not TLS, or HTTP Digest only.  Similarly, you'll find servers which try to get security by mandating Digest only.  Which won't work with clients that support only Basic. The goal here is to at least define what side of the road, authentication-wise, people should expect to drive on to avoid accidents.  They can also go off-road if they like, but they can't expect interoperability when they do. -- John Panzer Sr Technical Manager, AOL http://journals.aol.com/panzerjohn/abstractioneer