W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Tue, 16 Oct 2001 17:56:57 +0200
To: "Clemm, Geoff" <gclemm@rational.com>, "WebDAV" <w3c-dist-auth@w3.org>
Message-ID: <NDBBKJABLJNMLJELONBKAEEGDBAA.stefan.eissing@greenbytes.de>
Actually, you do not need to store cleartext in both cases.

As Geoff explained, digest requires the server to store
a secure hash of the username/password. You can use the
same hash to verify Basic authentication, since the client
send the password in (almost) clear text.

Best Regards, Stefan

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff
> Sent: Tuesday, October 16, 2001 5:47 PM
> To: WebDAV
> Subject: RE: Digest Authentication
>
>
> Are you sure you are not confusing digest authentication with basic
> authentication?  With digest authentication, a server only needs to
> expose its passwords in a cryptographically secure hash-coded form.
>
> Cheers,
> Geoff
>
> -----Original Message-----
> From: Dylan Barrell [mailto:dbarrell@opentext.com]
> Sent: Tuesday, October 16, 2001 11:13 AM
> To: WebDAV
> Subject: Digest Authentication
>
>
> I would like to propose a small change to the webDAV specification.
>
> Digest Authentication requires that a server store its passwords in such a
> way that they be available in clear text format.
>
> Our experience with our customers has shown that this is TOTALLY
> UNACCEPTABLE.
>
> As a result, we will not be able to implement digest authentication in our
> webDAV server.
>
> I would like to propose that the Digest Authentication requirement be
> demoted from mandatory to optional.
>
> --Dylan
>
>
>
Received on Tuesday, 16 October 2001 11:56:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT