W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: Dave Kristol <dmk@bell-labs.com>
Date: Tue, 06 Jan 1998 16:23:53 -0500
Message-Id: <34B2A0E9.6201DD56@bell-labs.com>
To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
I'm becoming as despairing as everyone else about how to salvage
Digest.  But before we totally "lose it", let me try to "return to those
days of yesteryear".

We started Digest (does anyone remember "SimpleMD5"?) with a goal of
eliminating cleartext passwords.  That design goal was achieved ages
ago.  Since then we've added neat functionality to try to identify when
the message has been modified or replayed.  Now, nonces can guard
against replay.  I'll assert that the additions, to guard against header
mucking, are misplaced:  if you want to assure message integrity, use
something like SSL.  Yes, it's heavier weight, and you might like to get
by with something cheaper.  But message integrity (and confidentiality)
is what you get with SSL.

My summary:  let's return Digest to its original purpose, avoiding
cleartext passwords.  Let's not try to impose on Digest capabilities for
which it was not intended.

Hi, yo, Silver, away!

Dave Kristol
Received on Tuesday, 6 January 1998 13:37:40 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT