W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: Digest Authentication. Moving towards last call...

From: Jeff Hostetler <jeff@rafiki.spyglass.com>
Date: Wed, 20 Dec 95 11:58:23 -0600
Message-Id: <9512201758.AA19721@fido.spyglass.com>
To: "Phillip M. Hallam-Baker" <hallam@w3.org>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, stefek_zaba@hplb.hpl.hp.com, spowers@ncsa.uiuc.edu, hopmann@holonet.net, jeff@fido.spyglass.com

> At the IETF HTTP-WG it was agreed to form sub-groups on a number of issues
> including Digest Authentication in HTTP. I would like to request anyone with
> objections to Jeff Hosteltler's draft (now expired) to make them known in the
> next three weeks - say January 10th?
> I would ask Jeff to resubmit the draft so that we can know what the proposal
> is. 

by popular request, we are in the process of resubmitting the draft.
it should be available tomorrow.  i think jan 10 is a good goal.

> To revise people's memories Digest authentication allows a user to demonstrate
> that they know a password without sending it over the Internet in a form that
> can be decrypted. It does require servers to keep authentication databases
> which are sensitive in that any compromise to them will compromise their
> security ass access codes. This is the best that can be done without using
> public key however. The UNIX method of storing passwords means that passwords
> have to be sen over the network in the clear. digest Authentication is
> effectively providing Kerberos type security without a mediator.
> There are a few outstanding issues:
> 1) Should we include a mediated form of the authentication?
> 2) Should we specify a mechanism for defining new Keyed Digest algorithms?
> 3) Is Kerberos integration a practical proposition?

i think we should leave these ideas for another authentication scheme.
the orignal goal of Digest was that we can do significantly better
than Basic with a near-trival set of changes.  we went from practically
no security [uuencode("username:password")] to something with some nice
properties while retaining the existing (2 party) web-model.  we were
also able to keep it free of patents and royalties and fully exportable
and (probably) importable.  i think we should be happy with it as is.

> 4) The syntax of the WWW-Authenticate: field is peculiar.

yes, let's discuss this in the sub-group.  whether we change the syntax
or not, there's a definite need to improve the wording and eliminate
some ambiguity.

> We now have 2 entirely independent implementations, one in Spyglasses deployed
> prducts and another in the Common Lisp Web server. Since both of those products
> tend to get distributed on CD-ROMS there had better be a good reason behind any
> proposed changes.

FYI, NCSA, John Franks, and David Kristol also have implementations.
are there any others ??

jeff hostetler
spyglass, inc.
Received on Wednesday, 20 December 1995 10:04:08 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:15 UTC