Return-Path: owner-new-httpd
Received: by taz.hyperreal.com (8.6.10/8.6.5) id HAA25786;
 Mon, 8 May 1995 07:35:29 -0700
Received: from life.ai.mit.edu by taz.hyperreal.com (8.6.10/8.6.5) with SMTP
 id HAA25775; Mon, 8 May 1995 07:35:22 -0700
Received: from volterra (volterra.ai.mit.edu) by life.ai.mit.edu (4.1/AI-4.10)
 for new-httpd@hyperreal.com id AA03051; Mon, 8 May 95 10:35:20 EDT
From: rst@ai.mit.edu (Robert S. Thau)
Received: by volterra (4.1/AI-4.10) id AA02852; Mon, 8 May 95 10:35:18 EDT
Date: Mon, 8 May 95 10:35:18 EDT
Message-Id: <9505081435.AA02852@volterra>
To: new-httpd@hyperreal.com
Cc: new-httpd@hyperreal.com
In-Reply-To: <9505080123.aa29315@paris.ics.uci.edu>
 (fielding@avron.ics.uci.edu)
Subject: Re: Patch to allow use of password file as auth DB (from USENET) 
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

   Date: Mon, 08 May 1995 01:23:06 -0700
   From: "Roy T. Fielding" <fielding@avron.ics.uci.edu>

   Ummmm, just to pick a little nit, this is a really bad idea from
   the point of security.  The Basic AA is bad enough, but to encourage
   users to pass their real system passwords through HTTP en claire is
   quite irresponsible.

Hmmm... just as a reality check, support for encrypted rlogin, telnet
and ftp is hardly universal yet, so many sites are still sending
passwords 'en claire' through those rather more prominent protocols.
On the other hand, I suppose I can see the point to keeping out a
feature which makes the problem worse...

rst