W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Where should Digest go next?

From: Fisher Mark <FisherM@is3.indy.tce.com>
Date: Thu, 04 Jan 96 10:47:00 PST
To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <30EC20E8@MSMAIL.INDY.TCE.COM>

Alex Hopmann writes in <199601040336.TAA02558@nic.cerf.net>:
>I think I would greatly prefer #2. While I have been one of the people
>pointing out some of the problems with Digest and trying to get a "better"
>scheme developed, I agree strongly with the comments made by other people 
in
>this thread- Digest works great as it is as something that is better than
>Basic. Basically I would claim that "Given the design criteria of Digest
>authentication, it doesn't have major holes, and we have shown that we can
>create interoperable implementations". I don't think it needs to be the
>end-all-be-all of security as long as the RFC makes clear its security
>weaknesses.

As someone who has held a U.S. SECRET clearance, I know that you don't 
always need the absolutely most secure procedures to ensure adequate 
security (i.e. I prefer #2 also).  "Adequate", though, tends to be 
circumstance-specific.  If you *really* are concerned about security, you 
wouldn't even receive this mailing list at your main computer, instead 
shunting it to an *email-only* system.  Not to mention directly connecting 
your main computer to the Internet, even through a firewall -- you would 
have a physically separate network for Internet-connected computers, like 
defense contractors sometimes do.
======================================================================
Mark Leighton Fisher                   Thomson Consumer Electronics
fisherm@indy.tce.com                   Indianapolis, IN
Received on Thursday, 4 January 1996 07:53:04 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:42 EDT