W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: No More Passwords In The Clear in HTTP!

From: Albert Lunde <Albert-Lunde@nwu.edu>
Date: Mon, 9 Jan 1995 14:52:55 -0600
Message-Id: <v01510102ab36fcf75592@[129.105.110.129]>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At 1:49 PM 1/9/95, Daniel W. Connolly wrote:
>From: "Electronic Commerce Standards for the WWW (Spyglass)"
>http://www.spyglass.com/techreport/stdsec.htm

>|Simple Authentication - OPTIONAL
>|
>|This scheme, proposed by Spyglass, uses a random challenge sent from
>|the server to the client. The client encodes the random challenge
>|using the user's password as an encryption key in order to establish
>|authentication. See Note B for a full specification.
>|
>|This method is currently indicated as OPTIONAL, but Spyglass believes
>|that it should become REQUIRED for HTTP compliance.
>
>This was something of an eye-opener. It's so simple. We should have
>been doing this all along. There was never any reason to send
>passwords in the clear (well, uuencoded), given HTTP's two-round-trip
>authentication mechanism.

This does look like a good idea. My one concern is that we'd want to make
sure various extension mechanisms could live together before standardizing
an Extension: header, but they seem to think this is not essential to make
the protocol work.

(Is there any other MD5 PW authentication proposals for WWW lurking around
in draft form? I think I've seen this before, but I'm not sure, and I think
it's been done lately for other protocols, too.)

---
    Albert Lunde                      Albert-Lunde@nwu.edu
Received on Monday, 9 January 1995 12:56:39 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:13 EDT