W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1996

Re: Digest Auth (fwd)

From: <hallam@ai.mit.edu>
Date: Thu, 29 Aug 96 10:45:15 -0400
Message-Id: <9608291445.AA13513@etna.ai.mit.edu>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: hallam@ai.mit.edu

>The problem here may be that no one actually *uses* digest auth. The
>problem is that these servers don't let you use both together. This is
>because both servers (indeed, pretty much all Unix HTTP servers that I
>know of) store Basic passwords crypted. This makes them unusable for
>Digest auth's purposes, which either needs the passwords in the clear or
>hashed. So the vast installed base of installed authentication cannot use
>digest (except in specific, intranet-like cases, where you are assured
>that the user is capable of supporting digest auth).

This is unfortunate. The design of DIGEST deliberately made it possible
to share a database for both purposes - if absolutely necessary. No 
server should ever be storing the passwords used by DIGEST, all that is 
necessary is the one way function hashed key.

The one way hash used by DIGEST is much stronger than that used by the
UNIX password format. There is no cryptographic reason to prefer the
UNIX format.


The reason why nobody is using DIGEST is because of clients which do 
not.

	Phill
Received on Thursday, 29 August 1996 07:44:37 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:08 EDT