draft-sayre-http-hmac-digest-00

On 3/7/06, Sam Hartman <hartmans-ietfmit.edu> wrote:
>
> SASL digest-md5 and http digest share secret key forms.
>
> You could easily meet my requirement by specifying both
a sasl
> mechanism and an http mechanism in the same draft.

I apologize if these questions seem combative, but doesn't
RFC2831
demonstrate that a SASL mechanism could be specified later?
If so,
what's the purpose of your requirement?

--

Robert Sayre
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth

>>>>> "Robert" == Robert Sayre
<sayrergmail.com> writes:

    Robert> On 3/7/06, Sam Hartman <hartmans-ietfmit.edu> wrote:
    >>  SASL digest-md5 and http digest share secret
key forms.
    >> 
    >> You could easily meet my requirement by
specifying both a sasl
    >> mechanism and an http mechanism in the same
draft.

    Robert> I apologize if these questions seem
combative, but doesn't
    Robert> RFC2831 demonstrate that a SASL mechanism
could be
    Robert> specified later? If so, what's the purpose
of your
    Robert> requirement?
It could be.  I don't think that would be a good idea
though.  It's
been my experience that when credential types are available
with some
substrates and not others or with some frameworks and not
others, you
get people picking frameworks and substrates based in part
on
availability of credentials.

I find that leads to very bad security design and creates
problems in
the future so I'd like to strongly discourage it.



--Sam
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth