W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: John Franks <john@math.nwu.edu>
Date: Tue, 6 Jan 1998 20:26:14 -0600 (CST)
To: Dave Kristol <dmk@bell-labs.com>
Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <Pine.LNX.3.96.980106200948.1940A-100000@hopf.math.nwu.edu>
On Tue, 6 Jan 1998, Dave Kristol wrote:

> We started Digest (does anyone remember "SimpleMD5"?) with a goal of
> eliminating cleartext passwords.  That design goal was achieved ages
> ago.  Since then we've added neat functionality to try to identify when
> the message has been modified or replayed. 
> 
[snip]
> My summary:  let's return Digest to its original purpose, avoiding
> cleartext passwords.  Let's not try to impose on Digest capabilities for
> which it was not intended.
> 

A number of others have echoed this sentiment.  There may be an
emerging consensus to undock all the entity-digest and
Authentication-info parts of the current digest specification, leaving
digest as a simple replacement for Basic authentication with precisely
the same functionality, but with the elimination of cleartext
passwords.

I have no problem with this.  I think it does not break existing
implementations because the parts to be removed are optional.

This would then allow interested parties to pursue "digest-ng" which 
could be incompatible and in particular could authenticate the server
to the client by the use of client nonces.  It could also deal with
the issues of digesting headers.

John Franks
john@math.nwu.edu
Received on Tuesday, 6 January 1998 18:38:51 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT