CGI/1.0: last call

decoux@moulon.inra.fr (ts)

Mail folder: WWW Talk Oct 93-present
Next message: Marc Andreessen: "NCSA Mosaic for X 2.1 available"
Previous message: Marc Andreessen: "Re: inline sounds"
In-reply-to: Bill Janssen: "Re: CGI/1.0: last call"

Date: Sat, 11 Dec 93 11:50:39 +0100
From: decoux@moulon.inra.fr (ts)
Message-id: <9312111050.AA02536@moulon.moulon.inra.fr>
To: janssen@parc.xerox.com
Cc: www-talk@nxoc01.cern.ch, P.Lister@cranfield.ac.uk,
        p.lister@cranfield.ac.uk
In-reply-to: Bill Janssen's message of Fri, 10 Dec 1993 18:48:51 PST <sh2HIHQB0KGWNGkllD@holmes.parc.xerox.com>
Subject: CGI/1.0: last call


> Interesting.  I just returned from a meeting where various security
> experts impressed on me just how bad an idea that is, as it increases
> the amount of code in the "Trusted Computing Base" unmanageably.  They
> felt that such a system could never be rated secure.

 You are right. But the problem is : authentication protocol of WWW (a la
un*x) is perhaps good enough for HTTP/0.9, but is not adapted for HTTP/1.0
particulary for method PUT, POST, DELETE.

 Actually I prefer write a script with a better authentication rather than
use WWW to do it.

 Put under "/htauth" specific scripts for authentication and don't use
this basic authentication protocol.

Guy Decoux