>-----Original Message----- >From: Scott Lawrence [mailto:slawrence@virata.com] >Sent: Monday, 8 January 2001 18:33 >To: Joris Dobbelsteen >Cc: WWW WG (E-mail) >Subject: Re: Logout > > >Joris Dobbelsteen wrote: > > >> Basic is completely insecure. Digest has some security hazards: >> Server sends a 'key' to use with hashing. When the same >'key' is used, >> the hashed password captured can be reused. >> Also doesn't digest authentication (nor basic authentication) provide >> data integrity. > >Actually, the Digest spec provides a content integrity mechanism >(qop=auth-int). It does not protect most of the header information >(because of compatibility problems with proxies), but does protect >and authenticate the message body by including a hash of the message >body as an input to the response hash. > Wasn't aware of the hash included of the message body. >As for alternative schemes that provide better security without >SSL/TLS, there was a very good spec "The Secure HyperText Transfer >Protocol" that just didn't get any traction with implementors: > >http://www.ietf.org/rfc/rfc2660.txt > > I will read RFC2660.... - Joris
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:41 EDT