W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Proposed new authentication scheme for HTTP

From: Eric W. Sink <eric@spyglass.com>
Date: Tue, 10 Jan 1995 14:20:07 -0600
Message-Id: <ab389bc60702100463d5@[192.246.238.160]>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-talk@info.cern.ch

Recently, we proposed a simple authentication scheme, based on the MD5
algorithm, for possible inclusion in the discussed HTTP/1.1.

It has been suggested by Phillip Hallam-Baker that the scheme should
not use MD5, due to a known weakness.  He is suggesting the use of SHA
instead.  We would like to generate discussion on this, so that we can
move quickly toward consensus.

The choice need not be a difficult one.  This simple access
authentication scheme is not intended to be a solution to the entire
web-security need.  What we seek is a simple but relatively secure
replacement for the Basic Access Authentication scheme in HTTP/1.0.

We chose MD5 primarily because code is widely available, in the belief
that it was strong enough for our target usage.  However, if there is
consensus that SHA would be an all-around better choice, we will revise
our proposal.

It is our intention to make source code for our scheme available as we
can do so.  Some software developers have already expressed enthusiasm
for helping with prototype implementations of the scheme.

The current draft of our proposal is located at:

http://www.spyglass.com/techreport/simple_aa.txt

Please send comments to the http-wg mailing list.

--

Eric W. Sink            eric@spyglass.com
Jeffery L. Hostetler    jeff@spyglass.com
Spyglass, Inc.
Received on Tuesday, 10 January 1995 11:16:34 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:13 EDT