W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Some comments on Digest Auth

From: David W. Morris <dwm@xpasc.com>
Date: Wed, 21 Jan 1998 09:49:01 -0800 (PST)
To: Paul Leach <paulle@microsoft.com>
Cc: Yaron Goland <yarong@microsoft.com>, "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.GSO.3.96.980121094315.5268A-100000@shell1.aimnet.com>


On Tue, 20 Jan 1998, Paul Leach wrote:

> 
> A replayable Digest is just as bad as Basic.

There is obviously some disagreement here .... that statement may be
true if you limit your considerations to HTTP requests .... but 
when you consider that all users of some operating systems are
forced to use the same userid and password for HTTP *AND* for login
to those systems there is a hugh difference between basic which
allows for trivial recovery of login credentials and digest
which doesn't.

And the vendor furnished limitations are just one problem.  It is well
known that humans tend to use the same passwords in unrelated
contexts when given the opportunity to choose their own.

It sure seemed like we had concenus that getting rid of plain text
passwords (and I'm sorry but base64 encoding is plain text, just like
translating it to ebccic would be) was essential and that all the other
desirable functionality would be covered in digest-ng.

Dave Morris
Received on Wednesday, 21 January 1998 09:51:24 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT