W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Digest mess

From: <rlgray@raleigh.ibm.com>
Date: Tue, 16 Dec 1997 13:45:56 EST
Message-Id: <199712161845.NAA29298@rtpmail01.raleigh.ibm.com>
To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
** Reply to note from "Roy T. Fielding" <fielding@kiwi.ics.uci.edu> Tue, 16 Dec 1997 00:40:30 -0800

As a server implementer, let me point out that our problem with
implementing it has little, if anything, to do with the complexity of
the protocol or featuritis. 

The basic (err, pun intended) problem we have is that we have an
installed base using existing password files, which store one-way
derivatives of the passwords.

There is NO way to get the plaintext password or H(A1) (as suggested
in the digest draft) from these databases.  Not all of the databases
available to use for authentication use the same algorithms to store
the passwords.

So, for Digest to be even remotely interesting, we would need the
browser to build H(A1) from the password derivative, not the plaintext
password itself.  And this only works for a subset of the databases
available (i.e. the ones we administer, not necessarily the system
ones).

Digest also breaks with 3rd party authentication schemes such as
Kerberos. (I think somebody already pointed this out)

Our users who care about passwords flowing in the clear use SSL.

Richard L. Gray
will code for chocolate
Received on Tuesday, 16 December 1997 10:47:35 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:05 EDT