| >| >| Can we make sure that this is ONLY done over https connections please
| >| >| otherwise it is sending clear text passwords over the wire.
| >| >I understand the reason but shouldn't it be enforced by the server
| >| >rather than the client?
| >| The client starts the conversation not the server.
| >|
| >| The client should know not to attempt to do authentication that will
| >| expose clear text credentials over the wire if it didn't make an https
| >| connection. Most web browsers have a config option for this and warn
| >| you when you attempt to do so the first time.
| >
| >Other programs like webdav or svn do not follow this approach. Since
| >webdav is a standard and has gone through some review, and what it does
| >is very similar to what pkg does too (on a meta level atleast -) it is a
| >convention we can/should follow.
|
| Just because other things do it that way doesn't mean it is the best way
| to do it. Also even "official" standards can be suboptimal particularly
| ones that build on existing suboptimal standards.
(*)Yes, and the best way is not self-evident in most cases either. In this
case, we would be forcing the administrator to setup two listeners one
secure and the other non secure even in cases where it is not really
useful like a local lan. (Setting up an ssl listener is much more complex
than setting up a simple http listener.)
We should not be adding more complexity to the most basic use case, and
should let the administrator decide what is necessary when.
| I disagree I don't ever want to see clear text creds go over the wire
| and in my opinion it is as much the clients responsibility as the servers.
|
| For example SSH doesn't work that way and its standard too.
That is a tautology :)
ssh does not distinguish between credentials or other data.
Are there any standards that switches between non tls and tls for auth?
(See first point (*) for why this question is important.)
Most let the administrator decide:
imap, webdav/http, pop3, ftp, svn, irc, telnet ... etc.
| >(we should perhaps look at supporting webdav as an interface too)
| >
| >More over browsers dont do that for basic auth (at least firefox opera
| >and IE dont.) what they do is to _warn_ you when you try to send username
| >and password in the _url_.
|
| Exactly.
?
rahul
--
1. e4 _
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
