John Panzer wrote:
Servers SHOULD support the HTTP Basic auth-scheme [RFC2617]
for operations requiring authentication. Servers SHOULD use
SSL/TLS [RFC2246] for such operations. Servers MAY support other
auth-schemes, and MAY support schemes entirely outside the
challenge-response framework of [RFC2617].
I don't have a problem with Basic+TLS as an option, but I think Digest
without TLS is at least as important if not more so. For the typical
blogger, you'd want a secure form of authentication when uploading posts,
but you really don't need the overhead of encrypting the entire session with
the server for data that's about to be published openly. TLS is complete
overkill for that situation and adds a lot of work for both the server and
the client.
Not to say that blogging is the only use for APP, but it's assumedly one of
the major uses.
PaceBasicAuthentication is closer to what I'd want, but I think you're going
to have interoperability problems with the server supporting HTTP Basic+TLS,
one client supporting HTTP Digest, another supporting CGI auth, etc.
My preference would be for:
- MUST support HTTP Digest Authentication
- SHOULD or MAY support HTTP Basic Authentication (in which case it SHOULD
support TLS)
- MAY support CGI or other authentication schemes
Regards
James
