Re: Protocol Authentication (was Re: Collection convergence?)

[Robert Sayre <mint@xxxxxxxxxxxxxxx>]

John Panzer wrote:

> Note that the draft spec doesn't prohibit doing any of this.  It just 
> says that you also have to support Digest Auth, whatever else you do.  
> I'm not sure whether Blogger intends to support the spec once it's 
> finalized; adding Digest to BASIC auth would be pretty easy.  Has anyone 
> asked Jason Shellen?  (CCd).

Steve and Greg have both posted in the past that they can't and won't 
support Digest. Dare has also objected to the requirement.

> > > I believe we do need a "greatest common denominator" authentication 
> > > specification for interoperability, but could be convinced otherwise.
> >
> > I wish we could do that, but we can't, IMHO.
> OK, that's your opinion; my opinion is the opposite.  You've presented 
> one case (Blogger) that's using something almost compliant with the 
> draft spec, and mentioned a few hypothetical clients that you think 
> won't follow the spec.  I'm still not convinced.  Maybe I'm an incurable 
> optimist.

I think this is not our layer. The real world will shake out industry 
standard auth schemes pretty quickly, I imagine. Deciding security 
requirements for other people is really tough, IMHO.

> > Every client will have a large switch statement in their auth code.
>
>
> Urk.

Urk.

Robert Sayre