Jens Alfke wrote:
> Assuming a non-SSL client, wouldn't this make the use of digest
> authentication a bit "too little, too late" in many situations?
> Any mechanism that could allow the client to securely transmit a password to the
>server in the absence of any prior shared secrets, would have to involve some sort of
>public-key crypto. This would make it nearly as complex as SSL, so why not just use
>SSL, which provides the additional benefit of encrypting the entire session including
>message contents?
>
I was getting to that. I wonder what the real point of supporting digest
based authentication is when it can be circumvented before it's ever
used? I suppose it could be considered a weak backup to having the
entire stream encrypted from the beginning.
Regards, Dustin
--
Dustin Puryear <[EMAIL PROTECTED]>
http://members.telocity.com/~dpuryear
In the beginning the Universe was created.
This has been widely regarded as a bad move. - Douglas Adams
_______________________________________________
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev
