W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Digest Auth (fwd)

From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Date: Thu, 29 Aug 1996 10:53:23 +0100 (BST)
To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <9608291053.aa29561@gonzo.ben.algroup.co.uk>
Alexei Kosut (or someone doing a very good impression of him) asked me to
forward this to the list, as he is having email problems:

Alex Hopmann wrote:

> I was actually speaking with the MSIE folks about this just today- They
> removed the digest support because they couldn't find any servers to
> test it against. They have assured me that it will be back in the next
> version.

Baloney - the latest versions of both Apache and NCSA's web servers (which
together make up more than 40% of Internet web servers) support digest
auth.

The problem here may be that no one actually *uses* digest auth. The
problem is that these servers don't let you use both together. This is
because both servers (indeed, pretty much all Unix HTTP servers that I
know of) store Basic passwords crypted. This makes them unusable for
Digest auth's purposes, which either needs the passwords in the clear or
hashed. So the vast installed base of installed authentication cannot use
digest (except in specific, intranet-like cases, where you are assured
that the user is capable of supporting digest auth).

In addition, the architecture of both servers make it so that they cannot
support more than one authentication scheme at the same time - so you
cannot maintain seperate password files for each, one crypted and one
hashed.

This may help to explain why it hasn't taken off, even though it's been in
a majority of WWW servers for several months. No one uses it on their
servers, therefore no clients want to take the time to implement it.

(FWIW, now that I've thought of it, I may make the upcoming Apache 1.2
support both basic and digest auth at once (though not for existing
password databases, unfortunately, which would of course be ideal, but as
I've mentioned, they're crypted), possibly easing the hopeful transition
from digest to basic auth.)

-- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/
Received on Thursday, 29 August 1996 03:48:57 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT