W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

RE: Digest Authentication Challenge Ordering

From: Spencer Dawkins <Spencer.Dawkins.sdawkins@nt.com>
Date: Fri, 7 Aug 1998 10:14:12 -0400
Message-Id: <11622C999F23D111BA620000F8662EB7023AE200@zrchb152.us.nortel.com>
To: 'Paul Leach' <paulle@microsoft.com>, "'http-wg@hplb.hpl.hp.com'" <http-wg@hplb.hpl.hp.com>
I know what Paul is trying to say, and I agree that it would be a good
thing. My question is, is "strongest" unambiguous? Does it just mean
"maximum key length"?

I'm not trying to be pedantic - this is an important part of protecting
against "drop your shields" man-in-the-middle attacks, and I'd like to see
the spec be pretty precise about a user's exposure to server selection of a
"weaker" authentication scheme when a stronger scheme could be used. But I
can't define "weak" and "strong" either!

Spencer

> -----Original Message-----
> From:	Paul Leach [SMTP:paulle@MICROSOFT.com]
> Sent:	Friday, August 07, 1998 2:57 AM
> To:	'http-wg@hplb.hpl.hp.com'
> Subject:	RE: Digest Authentication Challenge Ordering
> 
> I propose that the user-agent MUST choose the strongest auth-scheme it
> understands. This permits the server to put Basic first for old browsers
> (if
> it finds Basic acceptably secure). The order really doesn't matter, since
> the server is only supposed to offer minimally acceptable schemes.
Received on Friday, 7 August 1998 07:19:28 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT