W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: [Content-MD5 and Message Digest Authentication.], MD5 broken.

From: <hallam@w3.org>
Date: Mon, 29 Apr 96 14:52:13 -0400
Message-Id: <9604291852.AA07492@zorch.w3.org>
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, hallam@w3.org

>Not really. The shared secret is the password, not its hash. Giving
>H(A1) to a server is just a way a group of servers can be given the
>password without needing to have them all have the password in
>plaintext. How they get it betwen themselves is outside the scope of the
>spec.

Actually I was pretty keen on the shared secret being the hash. The idea being 
that the server need not ever know the password itself. This would be secure 
enough for many applications.

The additional hassle probably isn't worthwhile at this stage.


>In your scheme, servers that only want to support SHA would have to have
>an implementation of MD5 available -- and they might not have a license
>from RSA DSI.

Actually the license terms are merely that you call it RSA-MD5 and tell pe0op,e 
that you use it, and those are only if you use Ron's code.


O.K. so things look pretty much alright provided we put in a note to mention 
that SHA is preferred over MD5.


	Phill
Received on Monday, 29 April 1996 11:56:27 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:52 EDT