- From: Ben Laurie <ben@algroup.co.uk>
- Date: Tue, 20 Jan 1998 21:33:01 +0000
- To: Dave Kristol <dmk@research.bell-labs.com>
- Cc: paulle@microsoft.com, http-wg@cuckoo.hpl.hp.com
Dave Kristol wrote: > > Paul Leach wrote: > > > [DMK:] > > > So let me hark back to the discussion of a few weeks ago. Let's not > > > try to make Digest do something it was not intended to do. Let's > > > hold replay-proof Digest for digest-ng discussions. > > > > > No. > > > > A replayable Digest is just as bad as Basic. > > Let me say the same thing differently: A replayable Digest is no worse > than Basic. And it has the merit that it eliminates cleartext passwords. > That's all we were trying to do. A replayable Digest is by no means as bad as Basic: 1. The replay is likely to be time-limited in any sensible implementation, unlike in Basic. 2. The replay is only applicable to a single URL, unlike Basic. 3. The attacker is likely to have already seen the content, in the process of stealing the material necessary for the replay. Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686|Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
Received on Tuesday, 20 January 1998 13:35:34 UTC