- From: Paul Leach <paulle@microsoft.com>
- Date: Tue, 20 Jan 1998 14:06:36 -0800
- To: "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>
- Cc: http-wg@cuckoo.hpl.hp.com
> ---------- > From: dmk@research.bell-labs.com[SMTP:dmk@research.bell-labs.com] > Sent: Tuesday, January 20, 1998 12:59 PM > To: Paul Leach > Cc: http-wg@cuckoo.hpl.hp.com > Subject: RE: Some comments on Digest Auth > > Paul Leach wrote: > > > [DMK:] > > > So let me hark back to the discussion of a few weeks ago. Let's not > > > try to make Digest do something it was not intended to do. Let's > > > hold replay-proof Digest for digest-ng discussions. > > > > > No. > > > > A replayable Digest is just as bad as Basic. > > Let me say the same thing differently: A replayable Digest is no worse > than Basic. And it has the merit that it eliminates cleartext passwords. > A distinction without a difference. The fact that they are not plaintext is irrelevant. The important property about plaintext is that it can be replayed. If Digest can be replayed, then it has the property of plaintext that we're trying to get rid of, and so we will have accomplished nothing. NOTHING! Paul
Received on Wednesday, 21 January 1998 04:59:02 UTC