W3C home > Mailing lists > Public > public-qa-dev@w3.org > January 2007

Markup Validator can not proxy digest auth?

From: olivier Thereaux <ot@w3.org>
Date: Mon, 22 Jan 2007 13:20:52 +0900
Message-Id: <D8C18FE2-FC90-47A4-BE00-E8BFF93ACC2C@w3.org>
Cc: w3t-sys Team <w3t-sys@w3.org>
To: QA Dev <public-qa-dev@w3.org>

It took me almost half a day thinking there was a bug in the  
validator, but as I finally found out, there's no bug: by *design* of  
Digest Auth, the markup validator can not proxy digest authentication  
like it does for basic authentication.

Explanation: Digest auth works in a challenge-response manner.

1) client requests resource
2) server answers 401, gives challenge string, authentication realm
3) client computes response, based on hash of challenge string,  
realm, user, password, and most importantly here, *queried URI*

http://en.wikipedia.org/wiki/Digest_access_authentication

So even if the validator can pass the challenge string and realm to  
the user's browser, and pass the response string back to the server,  
the response will NOT be accepted by the server, simply because
expected_response = hash(challenge, realm, user, password, "http:// 
www.example.com/foo/bar/")
is obviously different from
given_response = hash(challenge, realm, user, password, "http:// 
validator.w3.org/check?uri=http%3A%2F%www.example.com%2Ffoo%2Fbar%2F")

Conclusion: bad news, everyone, I think we can't "proxy" digest auth  
- unless I'm mistaken, and trust me, I'd love to be wrong here. I  
can't recall who made the first implementation  of the auth proxying  
for the validator. Gerald? Terje? Would you concur?


We then have the choice betweem

1) CLIENT <- basic auth -> VALIDATOR <- digest auth -> SERVER
(which, arguably, is wrong wrong wrong - we'd be putting the SERVER  
at risk without their consent. Plus, I'm not even sure it's entirely  
feasible.)
or
2) "sorry, we can not validator resources protected by digest  
authentication. Use the upload feature of the validator, or install a  
local instance of the validator in your network, and give access to  
your resources to that server".


Thoughts? Different diagnosis? Is this a showstopper for switching  
w3.org servers to digest auth, seeing as it's not only going to break  
validation, but all sorts of services too (xslt, etc.)?


-- 
olivier
Received on Monday, 22 January 2007 04:21:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 August 2010 18:12:47 GMT