W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Where should Digest go next?

From: John Franks <john@math.nwu.edu>
Date: Wed, 3 Jan 1996 21:31:35 -0600 (CST)
To: "Donald E. Eastlake 3rd" <dee@cybercash.com>
Cc: Larry Masinter <masinter@parc.xerox.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960103210812.9761B-100000@hopf.math.nwu.edu>

On Wed, 3 Jan 1996, Donald E. Eastlake 3rd wrote:

> On Wed, 3 Jan 1996, Larry Masinter wrote:
> 
> > I'm just trying to figure out how to deal with 'Digest Authentication'
> > in the face of claims that the mechanism has well known holes and
> > limitations. Here are the procedural options, as far as I can see
> > them:
> > 
> > 1- Submit as Proposed standard as part of HTTP/1.1
> > 2- Submit as Proposed standard as a separate document
> > 3- Submit as Informational, as part of HTTP/1.0
> > 4- Submit as Informational, as a separate document
> > 5- Don't handle as part of IETF
> 
> I can't see anything wrong with having a spectrum of solutions that
> meet a spectrum of threat environments.  Security need not be
> perfect to be useful.
> 

I agree.  That is the point.

> > So, I'm leaning toward option 4 or 5. With option 4, it is likely that
> > if you submit it in the current form, the IESG would either add or
> > require the authors to add appropriate disclaimers as to how Digest
> > Authentication might not add significant additional security above and
> > beyond Basic Authentication.
> 
> Seems only reasonable to tell people what they are getting with an
> autentication scheme but the judgement that its effectivley the same
> as Basic in strength in only true for cerain threat environments.
> 

Has anyone suggested that digest authentication is effectively the
same as Basic?  I have followed this thread closely and surely missed
that if it was suggested.  I just reread the message from Allan
Schiffman and he did not say this.  I think that Digest is dramatically
better than Basic, albeit, still not perfect and not as strong as a
much more complex scheme would be.

The biggest problem with Basic is that passwords are effectively sent
in the clear.  Many naive users tend out of laziness to use the same
password for both sensitive and non-sensitive accounts. Such a person
might well use their login password for access to, say, HotWired member 
activities.  Their accounts can then comprised by anyone with a sniffer.

Digest authentication is certainly inappropriate for banking
transactions.  But it is plenty adequate for HotWired membership and
similar activities.  If we toss out Digest authentication now then at
some future time we could well regret leaving open the gaping hole
that Basic authentication represents.

John Franks
Received on Wednesday, 3 January 1996 19:38:54 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:42 EDT