W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Digest mess

From: Jim Gettys <jg@pa.dec.com>
Date: Thu, 8 Jan 1998 09:12:34 -0800
Message-Id: <9801081712.AA31521@pachyderm.pa.dec.com>
To: "David W. Morris" <dwm@xpasc.com>
Cc: Jim Gettys <jg@pa.dec.com>, Paul Leach <paulle@microsoft.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, Scott Lawrence <lawrence@agranat.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>  From: "David W. Morris" <dwm@xpasc.com>
>  Date: Wed, 7 Jan 1998 18:29:38 -0800 (PST)
>  To: Jim Gettys <jg@pa.dec.com>
>  Cc: Paul Leach <paulle@microsoft.com>,
>          http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com,
>          Scott Lawrence <lawrence@agranat.com>, http-wg@cuckoo.hpl.hp.com
>  Subject: RE: Digest mess
>  
Material elided...

>  
>  Of course, once we have hidden the password using digest, there is
>  still no way to update the password but one could argue that
>  it is harder to sniff the infrequent update than the repeated
>  authentication credential.

We have a somewhat secure mechanism widely available today for updating 
the password: that is SSL.  You can use SSL to your server or (given Paul's 
scheme, if he can enlighten us as he catches up on his mail after the holiday) 
your KDC and update your password.  (Not to mention telephone, PGP encrypted 
mail, and other mostly secure methods).  So the password update problem 
can be done pretty well without signficant problems, given what we already 
have deployed.  And some folks (e.g. Lotus Notes) already have KDC's
and ways of setting passwords securely.

Note that SSL usage has to be done with a bit of care, if you want
to avoid "partially known plaintext" attacks on the data going over
the connection to the backend server speaking SSL, when doing the password
updates.

This isn't a complete panacea, as many organizations do not allow SSL through 
thier firewalls (for good reasons), so in the longer term, we'll need another 
protocol, me thinks, just for talking to servers and/or KDC's.

>  
>  In any case, I believe it is critical to protect the authentication
>  credentials not because we are securing the web transaction BUT for
>  the reasons Jim has noted ... to prevent the use of web passwords
>  grabbed from the net from being used to access unrelated services.
>  
>  Take on the data verification as a second problem.  Perhaps do 
>  something about the password update issue as well... Perhaps 
>  even a variation of shttp to protect and authenticate the payload 
>  with lower implementation costs than SSL.
>  

Getting Digest done sooner rather than later will greatly reduce
the long term interoperability problems we'll have to get passwords
in the clear off the Internet, and allow us all to focus on the
password setting problem with more breathing room...

So I'm all for message integrity, but if I have to choose one or the
other (password safety), I'd settle for password safety.  The discussion
I'm seeing though, makes me think we may be able to have both...
				- Jim

--
Jim Gettys
Industry Standards and Consortia
Digital Equipment Corporation
Visting Scientist, World Wide Web Consortium, M.I.T.
http://www.w3.org/People/Gettys/
jg@w3.org, jg@pa.dec.com
Received on Thursday, 8 January 1998 09:19:51 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:10 EDT