From new-httpd-owner@apache.org  Tue Apr  1 03:22:42 1997
Received: by taz.hyperreal.com (8.8.4/V2.0) id DAA26387; Tue, 1 Apr 1997 03:22:42 -0800 (PST)
Received: from mrelay.jrc.it by taz.hyperreal.com (8.8.4/V2.0) with SMTP id DAA26364; Tue, 1 Apr 1997 03:22:31 -0800 (PST)
Received: from  jrc.it (elect6.jrc.it) by mrelay.jrc.it (4.1/EB-950131-C)
	id AA21368; Tue, 1 Apr 97 13:28:52 +0200
Received: by  jrc.it (5.x/EB-950213-L)
	id AA21856; Tue, 1 Apr 1997 13:21:35 +0200
Date: Tue, 1 Apr 1997 13:21:35 +0200
From: "Dirk.vanGulik" <Dirk.vanGulik@jrc.it>
Message-Id: <9704011121.AA21856@ jrc.it>
To: new-httpd@hyperreal.com
Subject: Re: PR #209 and delays in authentication retry
X-Sun-Charset: US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com


> > 
> >     PR#209 complains that, since he uses his system passwd file as his
> >     authentication source, Web-based attacks can be mounted on his
> >     accounts with no governor.  He wants us to impose a 5-second delay
> >     before responding with an authentication failure.
> > 
> >     I'd like to close this with a "not a chance" reply, but I want to
> >     make sure no-one else thinks this is a good idea, or worth
> >     considering, first.  Penalising people who mis-spell their
> >     passwords, or hit the CAPS-LOCK key, just because this chap uses his
> >     system passwd file to limit access surely doesn't sound like The
> >     Right Thing(tm) to me..
> > 

Excuse me; building in some expensive timeout across requests, cause the
guy is an idiot. You've got to be joking. -1 from me ! HTTP is a stateless
request protocol. tough.

Dw.