W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Some comments on Digest Auth

From: Ben Laurie <ben@algroup.co.uk>
Date: Tue, 20 Jan 1998 21:33:01 +0000
Message-Id: <34C5180D.BA5F6AF1@algroup.co.uk>
To: Dave Kristol <dmk@research.bell-labs.com>
Cc: paulle@microsoft.com, http-wg@cuckoo.hpl.hp.com
Dave Kristol wrote:
> Paul Leach wrote:
>   > > [DMK:]
>   > > So let me hark back to the discussion of a few weeks ago.  Let's not
>   > > try to make Digest do something it was not intended to do.  Let's
>   > > hold replay-proof Digest for digest-ng discussions.
>   > >
>   > No.
>   >
>   > A replayable Digest is just as bad as Basic.
> Let me say the same thing differently:  A replayable Digest is no worse
> than Basic.  And it has the merit that it eliminates cleartext passwords.
> That's all we were trying to do.

A replayable Digest is by no means as bad as Basic:

1. The replay is likely to be time-limited in any sensible
implementation, unlike in Basic.

2. The replay is only applicable to a single URL, unlike Basic.

3. The attacker is likely to have already seen the content, in the
process of stealing the material necessary for the replay.



Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache
Received on Tuesday, 20 January 1998 13:35:34 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT