W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: potential security holes in digest authorization

From: Dave Kristol <dmk@allegra.att.com>
Date: Mon, 17 Jul 95 12:59:00 EDT
Message-Id: <199507171832.AA289945955@hplb.hpl.hp.com>
To: john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
John Franks <john@math.nwu.edu> said:
  [I said:]
  > > I disagree with the premise.  I wouldn't encode the domain name that
  > > the user accessed to reach my server.  I would encode the name that the
  > > server uses for itself, for example the name set by NCSA HTTPD
  > > ServerName directive.
  > 
  > How is the client supposed to know this?  You'll have to make further
  > additions to the protocol.  Maybe I am confusing who said what but
  > didn't you also complain that encoding the hostname would make it
  > impossible to move the password file to a new host?  This is a good
  > point and suggests a realm containing the enterprise name, but not the
  > host name -- something like "group@Enterprise_Name" e.g.
  > "Engineering@ATT_Bell_Labs".
You're right -- the client doesn't know the name.  Stupid idea on my part.
[...]

Dave Kristol
Received on Monday, 17 July 1995 11:34:30 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:23 EDT