W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: potential security holes in digest authorization

From: Dave Kristol <dmk@allegra.att.com>
Date: Mon, 17 Jul 95 11:06:21 EDT
Message-Id: <199507171514.AA066294079@hplb.hpl.hp.com>
To: cshotton@biap.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
cshotton@biap.com (Chuck Shotton) said:
  > >[Dave Kristol said:]
  > >Fair enough.  How about using the server-name in place of realm, then?
  > >(After all, it's possible two webmasters might choose the same realm
  > >name on different servers, isn't it!) That would render the same
  > >username/password combination unique on different machines.  So the
  > >stored hash would be:
  > >        H(<username> : <server-domain-name> : <password>)
  > 
  > This isn't any better, given that one user may have multiple occurences of
  > the same name and password for different realms. (It happens!) The best
  > would be a combination of host domain name and realm name.

True enough.  But encoding the realm name (along with host domain name)
in the stored string would return me to the dilemma I had before:  what
if I need/want to change domain name?  The entire password file becomes
invalid.

Dave Kristol
Received on Monday, 17 July 1995 08:16:28 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:23 EDT