Paul Leach wrote:
> ...
> True, but so does the client. It can (and should be able to be)
> configured with the lowest level of security it will accept, and if
> the server only offers less secure protocols than that, it refuses
> to connect.
This isn't really a negotiation, tho. The client can't change what
the server wants, and visa-versa...
> BTW: there is advantage to running Digest (instead of Basic), even
> with the weakest options, inside of TLS. Basic exposes your password
> to the server, whereas Digest server can store hashes of passwords
> that are realm specific, and so use of the same password in multiple
> realms isn't as big an exposure.
> ...
I agree that there are a lot of benefits with using Digest, but to
interface to an existing non-MD5-based authorization system you need
to use Basic so you have the original password text to work with.
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw.com
Printing Software for UNIX http://www.easysw.com