Re: Netscape vs. Digest (?) from Ben Laurie on 1996-08-28 (ietf-http-wg@w3.org from July to September 1996)

From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Date: Wed, 28 Aug 1996 14:17:35 +0100 (BST)
To: jg@zorch.w3.org
Cc: montulli@netscape.com, ms@gf.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9608281417.aa25971@gonzo.ben.algroup.co.uk>

jg@zorch.w3.org wrote:
> 
> 
> Lou Montulli writes:
> > Why would you ever want to use digest if you already have
> > certificate support?
> 
> I think at least one reason is clear:
> 	Lack of export control hassles on hashing for authentication.
> 
> This means we can make it universal, and stop passwords in the clear
> world-wide.  And as the #1 (and I think #2) servers on the Internet
> are Apache and NCSA, which have no solution to the export problem
> available to them

In fact, Apache does have a solution - originate the code outside the US and
import it. This has a major advantage over exported servers in that the
crypto is not crippled. This solution is, of course, Apache-SSL.

> (as I understand it, the Apache folks had their arms
> twisted to even remove hooks for stronger forms of encryption or
> authentication),

Actually, it was the NCSA that had the arm-twist applied (by the NSA, I'm
told), and they advised the Apache Group to follow suit, which they did.

> this is a Big Issue.  It is far from clear to me that
> certificate support is universally available as a result of this
> action of the government.  Even if the code were available worldwide, it can't
> just get dropped into a server distribution.

This is true. If we were to drop crypto into the main Apache distribution, it
would prevent the distribution from being stored in the US (not really a big
deal) but worse, it would prevent US developers from working on Apache. This is
why Apache-SSL is distributed separately, and developed entirely outside the
US by non-US nationals.

But even if there were no export hassles, certificate support is no substitute
for digest auth. The code is several orders of magnitude harder to write, and
the maintenance overhead for the user of certificates is also considerably
greater than maintaining digest auth.

Apache supports digest auth in a few hundred lines of code. Certificate support
takes tens of thousands of lines.

Cheers,

Ben.

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.            Apache Group member (http://www.apache.org)

Received on Wednesday, 28 August 1996 07:11:02 UTC