- From: Alex Hopmann <hopmann@holonet.net>
- Date: Fri, 14 Jul 1995 17:35:04 -0700
- To: Dave Kristol <dmk@allegra.att.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>John Franks <john@math.nwu.edu> says: > [...] > > Under the current proposal what is stored in the server user/password > > file is > > user:H(<username> : <realm> : <password>) > > > > So gaining illicit access to the server password file does not > > compromise the password. Of course, it *does* grant illicit access to > > the documents on that server in that realm. I believe this is what > > Brad Barber was referring to when he said the password file needed to > > receive highest security. > [...] > >That helps, but I have a quibble. I would prefer not to tie the username >and password so strongly to a particular realm, because: > 1) I might like to change the name of the realm (if only slightly). I have to agree with this first quibble quite a bit. In an actual product implementation of message digest we have had some issues arrise because if the server operator wants to change their realm, their entire user/password database suddently becomes inoperative. Any chance that we could (if there is some move to change the digest draft, for example to move the location of the nonce), change the inclusion of the realm in there with the username and password (The A1 substring)? Alex Hopmann ResNova Software, Inc. hopmann@holonet.net
Received on Friday, 14 July 1995 17:38:00 UTC