W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Where should Digest go next?

From: Donald E. Eastlake 3rd <dee@cybercash.com>
Date: Wed, 3 Jan 1996 21:41:29 -0500 (EST)
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960103213640.13025B-100000@cybercash.com>
On Wed, 3 Jan 1996, Larry Masinter wrote:

> I'm just trying to figure out how to deal with 'Digest Authentication'
> in the face of claims that the mechanism has well known holes and
> limitations. Here are the procedural options, as far as I can see
> them:
> 1- Submit as Proposed standard as part of HTTP/1.1
> 2- Submit as Proposed standard as a separate document
> 3- Submit as Informational, as part of HTTP/1.0
> 4- Submit as Informational, as a separate document
> 5- Don't handle as part of IETF
> The problem with options 1 and 2 is whether such Proposed Standards
> would have a chance of actually making it to Standard without change.
> I don't think this will work out: the standards track really does
> require us to propose solutions that don't have major holes, and if
> we're not interested in fixing the known problems, trying to move
> along standards track is inappropriate.

I can't see anything wrong with having a spectrum of solutions that
meet a spectrum of threat environments.  Security need not be
perfect to be useful.

> The problem with option 3 is that it would delay the (already late)
> HTTP/1.0 spec.
> So, I'm leaning toward option 4 or 5. With option 4, it is likely that
> if you submit it in the current form, the IESG would either add or
> require the authors to add appropriate disclaimers as to how Digest
> Authentication might not add significant additional security above and
> beyond Basic Authentication.

Seems only reasonable to tell people what they are getting with an
autentication scheme but the judgement that its effectivley the same
as Basic in strength in only true for cerain threat environments.

> Is this agreeable? I'd like to get the 'Digest Authentication' item
> out of its currently stalled status, and move forward on this one way
> or another.

If you would like standard conformant software to include the feature,
include it in the standard.

Donald E. Eastlake 3rd     +1 508-287-4877(tel)     dee@cybercash.com
   318 Acton Street        +1 508-371-7148(fax)     dee@world.std.com
Carlisle, MA 01741 USA     +1 703-620-4200(main office, Reston, VA)
Received on Wednesday, 3 January 1996 18:48:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:16 UTC