W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: Scott Lawrence <lawrence@agranat.com>
Date: Wed, 07 Jan 1998 10:18:16 -0500
Message-Id: <199801071518.KAA16174@devnix.agranat.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>>>>> "DK" == Dave Kristol <dmk@bell-labs.com> writes:

DK> Repeat after me "Digest is meant to replace Basic."

  I would just extend that to

    "Digest is meant to replace Basic with something useful."

DK> Basic provides no message integrity.  There may indeed be a need
DK> for a lightweight way to detect POST/PUT message integrity.  But
DK> let's not necessarily force the latter on the former.

  Even GET without at least some response integrity is of questionable
  value, and without a digest you don't even get that (and you can if
  you include a client nonce).  I don't accept the argument that we
  are doing something good by replacing one inadequate mechanism with
  another inadequate one.

DK> Are you saying that the original Digest wouldn't play through proxies?
DK> If so, how would the more recent version do any better?  (Unless you're
DK> referring to the way proxies may mung headers.  Original Digest wasn't
DK> dependent on other headers.)

  It was dependant on the headers for the entity integrity, and that's
  essential (in my admittedly not-so-humble opinion :).

DK> I would hate to see the best be the enemy of the good here.

  As I see it, I'm far from arguing for the 'best' here... just
  'adequate'.

DK> I have had server support for Digest for nearly three years (and
DK> SimpleMD5 before that), and I've longed for widespread support of
DK> Digest in clients.

  ...and one argument that client vendors have made for why they have
  not deployed it is that it is too weak - why would they be any
  more motivated to provide Digest without integrity protection?

  They have argued that Basic with SSL is better, and as things appear
  to be going I would have a tough time making a technical case
  otherwise.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Wednesday, 7 January 1998 07:22:42 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT