W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: Scott Lawrence <lawrence@agranat.com>
Date: Wed, 07 Jan 1998 09:12:14 -0500
Message-Id: <199801071412.JAA16016@devnix.agranat.com>
To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>

>>>>> "JF" == John Franks <john@math.nwu.edu> writes:


>> We started Digest (does anyone remember "SimpleMD5"?) with a goal of
>> eliminating cleartext passwords.  That design goal was achieved ages
>> ago.  Since then we've added neat functionality to try to identify when
>> the message has been modified or replayed.

  But without at least some message integrity protection the
  authentication credentials are meaningless.  Granted, we cannot
  achieve complete integrity protection - for that you have to go to
  SSL/TLS or S-HTTP.

JF> I have no problem with this.  I think it does not break existing
JF> implementations because the parts to be removed are optional.

  Let me take one more stab at this.

  My proposed change is that we remove the problematic headers from
  the entity digest calculation and replace them with the use of a
  client-generated nonce.

  The principle objection to this that I've heard is that it is not
  backward compatible with existing implementations.  Fair enough.

  I would normally not suggest added complexity, but... the server can
  tell whether to use the RFC2069 version of the scheme or not by
  whether or not the client supplies a nonce.  The client nonce would
  have to be transmitted to the server as an attribute of the
  Authorization header field anyway - if it is present, then the
  client does 'new' digest that uses it; if not, then it does RFC2069
  style.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Wednesday, 7 January 1998 06:26:50 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT