> From: Iljitsch van Beijnum [mailto:iljitsch@xxxxxxxxx] > During the reading of this document, it occurred to me that > HTTP digest authentication (RFC 2617) rather than the widely > used practice of having security credentials be typed into an > HTTP form would achieve 90% of the requirements all by > itself. Well maybe if people had listened to me then :-) But at this point fifteen years later Digest is not the way to go. First Digest was designed under the express constraint of avoiding patent encumberances. RSA and D-H were both off the table at the time. If I was to redo Digest today or expand its scope I would do it differently. The main reason I would not is that SAML and WS-* both provide an excellent solution. I very much like and support the Cardspace idea of building into the O/S platform. I very much like the OpenID concept of making the barrier to entry very low. I would like to arrive at a happy combination of the existing proposals not see more proposals put on the table at this point. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf