W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Some comments on Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Tue, 20 Jan 1998 14:06:36 -0800
Message-Id: <5CEA8663F24DD111A96100805FFE658720398E@red-msg-51.dns.microsoft.com>
To: "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>
Cc: http-wg@cuckoo.hpl.hp.com


> ----------
> From: 	dmk@research.bell-labs.com[SMTP:dmk@research.bell-labs.com]
> Sent: 	Tuesday, January 20, 1998 12:59 PM
> To: 	Paul Leach
> Cc: 	http-wg@cuckoo.hpl.hp.com
> Subject: 	RE: Some comments on Digest Auth
> 
> Paul Leach wrote:
>   > > [DMK:]
>   > > So let me hark back to the discussion of a few weeks ago.  Let's not
>   > > try to make Digest do something it was not intended to do.  Let's
>   > > hold replay-proof Digest for digest-ng discussions.
>   > > 
>   > No.
>   > 
>   > A replayable Digest is just as bad as Basic.
> 
> Let me say the same thing differently:  A replayable Digest is no worse
> than Basic.  And it has the merit that it eliminates cleartext passwords.
> 
A distinction without a difference. The fact that they are not plaintext is
irrelevant. The important property about plaintext is that it can be
replayed. If Digest can be replayed, then it has the property of plaintext
that we're trying to get rid of, and so we will have accomplished nothing.
NOTHING!

Paul
Received on Wednesday, 21 January 1998 04:59:02 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT