rahul wrote: > | >| Can we make sure that this is ONLY done over https connections please > | >| otherwise it is sending clear text passwords over the wire. > | >I understand the reason but shouldn't it be enforced by the server > | >rather than the client? > | The client starts the conversation not the server. > | > | The client should know not to attempt to do authentication that will > | expose clear text credentials over the wire if it didn't make an https > | connection. Most web browsers have a config option for this and warn > | you when you attempt to do so the first time. > > Other programs like webdav or svn do not follow this approach. Since > webdav is a standard and has gone through some review, and what it does > is very similar to what pkg does too (on a meta level atleast -) it is a > convention we can/should follow.
Just because other things do it that way doesn't mean it is the best way to do it. Also even "official" standards can be suboptimal particularly ones that build on existing suboptimal standards. I disagree I don't ever want to see clear text creds go over the wire and in my opinion it is as much the clients responsibility as the servers. For example SSH doesn't work that way and its standard too. > (we should perhaps look at supporting webdav as an interface too) > > More over browsers dont do that for basic auth (at least firefox opera > and IE dont.) what they do is to _warn_ you when you try to send username > and password in the _url_. Exactly. -- Darren J Moffat _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
