W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: New issue: Need for an HTTP request method registry

From: Leif Johansson <leifj@it.su.se>
Date: Fri, 10 Aug 2007 17:11:33 +0200
Message-ID: <46BC8025.3010002@it.su.se>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
CC: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>

Henrik Nordstrom wrote:
> On fre, 2007-08-10 at 10:02 +1200, Adrien de Croy wrote:
>   
>> To use digest on a windows platform you can't 
>> auth against the windows or AD user database unless you re-write that 
>> database (since there's no conversion between one way hashes).  I can't 
>> see MS doing that when they can and have just kludged NTLM into HTTP.  
>> Is the fact that they had to kludge it in without support an indication 
>> of a failing in HTTP?
>>     
>
> MS AD supports Digest if you want. But it's not enabled by default due
> to security concerns. Apparently this is because they then store the
> plaintext password in the internal database and not the less sensitive
> Digest H(A1) values (probably to avoid being dependent on the realms
> used). Every existing user wanting to use Digest only needs to change
> their password after this change to have the AD object updated with the
> required password details.
>
> Same for Novell eDirectory with it's "universal password" support.
>
> Regards
> Henrik
>   
I'm not sure If you meant that as a good or bad thing :-) A large
set of users never "just" decide to change their passwords as
anyone who has operated a large user store with several keys
per user (eg a kdc).

MS AD and other KDCs store plaintext passwords to make
key type migration possible.
   
    Cheers Leif
Received on Friday, 10 August 2007 15:11:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT