W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Henrik Nordstrom <hno@squid-cache.org>
Date: Wed, 18 Oct 2006 12:19:09 +0200
To: lists@ingostruck.de
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Robert Sayre <sayrer@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1161166749.10745.41.camel@henriknordstrom.net>
ons 2006-10-18 klockan 09:24 +0000 skrev Ingo Struck:


> A formulation within an updated http/1.1 document could be
> that a conforming server implementation MUST NOT use the 
> Basic auth scheme (or equally weak schemes), while clients
> MAY support it, but if they do they MUST warn the user
> decidedly -- if this seems to be too restrictive a SHOULD NOT
> could still suffice.

I would add "without adequate transport level security" to the above.

Exchanges of plain-text passwords is often required for interoperability
reasons far beyond the HTTP protocol as such. In very many applications
the server simply MUST know the plain-text password of the user.

The main reason why Digest auth hasn't been widely deployed and most
still using Basic is because of these reasons. There is not very much as
such wrong with Digest auth even if there is areas which can be improved
(and many broken implementations), but in practice it's often completely
useless as the backend systems doesn't support Digest auth, only other
proprietary authentication protocols or plain text.

Quite recently there was a standardisation effort which have brought
Digest auth a bit closer to something deployable by extending RADIUS
with Digest auth support. Hopefully this will make Digest a more
available alternative.  


Regards
Henrik

Received on Wednesday, 18 October 2006 10:21:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT