> > That would be true if you transparently transformed a more-secure
> > auth-scheme to a less-secure auth-scheme (such as NTLM-to-basic or
> > digets-to-basic [client side first]).
> > But since you really can't do that but only the other way around,
> > it's not really an issue, is it?
>
> It is an issue in information, not technology.
>
> A site might have the policy that logins is only allowed using Digest.
> If you then have a Basic->Digest gateway in the request patch then you
> allow the user to breach this policy, most likely without knowing.
I see your point. My point is that at an intranet level, the cache
manager should know. And at the internet level, he might not care.
> This is also true for Basic->NTLM, as NTLM theoretically
> supports asking
> the user for login details when logging in to another domain without a
> trust arrangement (I don't know if IE does this but it can be done).
It does. Same applies for 'internet zone' (determined if there are
dots in the hostname).
-- /kinkieReceived on Fri Apr 13 2001 - 04:29:36 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST