W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: John Franks <john@math.nwu.edu>
Date: Tue, 6 Jan 1998 14:35:33 -0600 (CST)
To: Scott Lawrence <lawrence@agranat.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980106135556.1202A-100000@hopf.math.nwu.edu>
On Tue, 6 Jan 1998, Scott Lawrence wrote:

> 

>   All existing implementations (mine included) are already broken - we
>   have established that.  They will not work on the real Internet in
>   the face of proxies.  No backward-compatible solution exists.  Like
>   it or not, we are talking about a new scheme now that happens to
>   share as much as possible with the old one, but lacks the problem
>   with proxies.  I see no alternative to admitting that, changing the
>   scheme identifier and going ahead.
> 

Existing implementations which do not implement the optional features
of digest authentication (e.g. Apache) are NOT broken.  They work
fine on the real Internet today, even in the face of proxies. 
They meet the need for a replacement to Basic authentication.
Solutions backward compatible with them which fix the problems 
with optional features exist.  

On the other hand, we could simply eliminate all optional features
from digest and you and other interested parties could start work on
"digest-ng."


>   .. it failed purely due to a flaw in the protocol - the fact that
>   we used [header] values that may be changed.  We 
>   can (I think...) design the
>   protocol to not use those values so that an innocent change in a
>   proxy does not affect the authentication.
> 

Certainly such a protocol can be designed.  However, we have some
evidence that it would not be interesting to at least one major
browser implementor as long as arbitrary headers are not digested.  I
suspect you would be back to one hand clapping.  Digest without the
optional features would also be uninteresting to them for the same
reason.


John Franks
john@math.nwu.edu
Received on Tuesday, 6 January 1998 12:38:30 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT