W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: John Franks <john@math.nwu.edu>
Date: Tue, 6 Jan 1998 12:59:44 -0600 (CST)
To: Ben Laurie <ben@algroup.co.uk>
Cc: Scott Lawrence <lawrence@agranat.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980106124144.1078C-100000@hopf.math.nwu.edu>
On Tue, 6 Jan 1998, Ben Laurie wrote:

> 
> The Apache implementation is already marked as not suitable for serious
> use, because of the server's vulnerability to a replay. 

I don't understand.  The Apache implementation only authenicates a client
to the server.  This works.  There is no possibility of replay unless
the server re-uses nonces (which I can't believe any implementation
would do).

Going the other direction, the base digest mechanism (as implemented
in Apache) does not authenticate a server to a client.  It is just
like Basic in that respect.  Since there is no authentication there
can be no attack, replay or otherwise.  

The base digest authentication is a replacement for Basic, but without
passwords in the clear.  Apache presumably does that fine.  This is a
"serious use".  There are, of course, other "serious uses" which it
does not implement and this will always be the case.

> 
> Actually, if we could insist that the digest authed request was in the
> same keptalive session as the original request, that'd help a lot...
> 

Why?  Are you saying that once Apache has received valid credentials
for one request it allows access for (some) other requests in the same
keep-alive session which don't have credentials?  Surely, that can't
be true.

Maybe I don't understand what you are saying.

John Franks
john@math.nwu.edu
Received on Tuesday, 6 January 1998 11:02:27 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT