IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Michael Sweet mike at easysw.com
Fri Apr 23 14:04:00 EDT 1999


Keith Moore wrote:
> 
>     Servers are REQUIRED to implement "TLS + Basic" OR Digest.
> 
>     Clients are REQUIRED to implement Digest.  If the client
>     supports TLS then it is also REQUIRED to support "TLS + Basic".
> 
> Won't fly, because it doesn't ensure interoperability.

Requiring TLS in all clients will force non-compliant clients.

Also, after looking at TLS more closely, TLS poses additional
interoperability concerns (specifically, there are no required
ciphers, only recommended ones.)  If a TLS-capable server and
client can't find a common cipher to use, then they either have to
send data in the clear or drop the connection, which either kills
security or interoperability (take your pick)...

As much as I hate to say it, we're getting back to requiring Digest
alone (with the appropriate caveats in the implementer's guide).

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products                  mike at easysw.com
Printing Software for UNIX                       http://www.easysw.com



More information about the Ipp mailing list