W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Where should Digest go next?

From: Eric W. Sink <eric@rafiki.spyglass.com>
Date: Wed, 03 Jan 1996 09:49:40 -0600
Message-Id: <2.2.32.19960103154940.00724f04@spyglass.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

I'd like to welcome new contributors to the discussion on Digest
authentication, and give you a bit of history behind this proposed
authentication mechanism.

Digest was conceived with a very simple purpose, to meet a need for Spyglass
and one of its partners.  The goal was to design a simple mechanism for
authentication using a shared secret password, but make it somewhat stronger
than Basic authentication.  For all practical purposes, sending a uuencoded
password is just like sending it in the clear, right?

Digest definitely has holes and limitations.  We did not set out to design a
Great authentication scheme.  We set out to design a Better authentication
scheme.

Since doing so, I've noticed a great deal of interest in designing a Great
authentication scheme, and the Digest drafts tend to act as a magnet for
that interest.

I'd like to suggest that if this group thinks a Great auth scheme should be
part of the HTTP protocol, then I think a subgroup should design one, but
call it something other than Digest.

If the group thinks that Digest is adequate for inclusion in the protocol,
then it is certainly available.

We would appreciate it if you did not change Digest in a non-compatible
fashion. There are a number of shipping implementations of this scheme now,
and if this group adopts any scheme which is called Digest, then I would
like to ensure that those implementations interoperate with whatever comes out.

--
Eric W. Sink
eric@spyglass.com
Received on Wednesday, 3 January 1996 07:47:52 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:42 EDT