W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: potential security holes in digest authorization

From: Chuck Shotton <cshotton@biap.com>
Date: Mon, 17 Jul 1995 10:01:47 -0500
Message-Id: <v02120d02ac2fe45c6444@[]>
To: Dave Kristol <dmk@allegra.att.com>, john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>Fair enough.  How about using the server-name in place of realm, then?
>(After all, it's possible two webmasters might choose the same realm
>name on different servers, isn't it!) That would render the same
>username/password combination unique on different machines.  So the
>stored hash would be:
>        H(<username> : <server-domain-name> : <password>)

This isn't any better, given that one user may have multiple occurences of
the same name and password for different realms. (It happens!) The best
would be a combination of host domain name and realm name.

Chuck Shotton                               StarNine Technologies, Inc.
chuck@starnine.com                             http://www.starnine.com/
cshotton@biap.com                                  http://www.biap.com/
                 "Shut up and eat your vegetables!"
Received on Monday, 17 July 1995 07:58:53 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:14 UTC