Paul Leach wrote:
> True, but so does the client. It can (and should be able to be)
> configured with the lowest level of security it will accept, and if
> the server only offers less secure protocols than that, it refuses
> to connect.
This isn't really a negotiation, tho. The client can't change what
the server wants, and visa-versa...
> BTW: there is advantage to running Digest (instead of Basic), even
> with the weakest options, inside of TLS. Basic exposes your password
> to the server, whereas Digest server can store hashes of passwords
> that are realm specific, and so use of the same password in multiple
> realms isn't as big an exposure.
I agree that there are a lot of benefits with using Digest, but to
interface to an existing non-MD5-based authorization system you need
to use Basic so you have the original password text to work with.
Michael Sweet, Easy Software Products mike at easysw.com
Printing Software for UNIX http://www.easysw.com