- From: Jim Whitehead <ejw@cse.ucsc.edu>
- Date: Tue, 16 Oct 2001 09:42:15 -0700
- To: "WebDAV" <w3c-dist-auth@w3.org>
Geoff Clemm writes: > Are you sure you are not confusing digest authentication with basic > authentication? With digest authentication, a server only needs to > expose its passwords in a cryptographically secure hash-coded form. I'm going to make an educated guess here. Since Dylan works on a DAV server called "Livelink Gateway", I suspect the architecture of this implementation is a wrapper around an existing content management system, Livelink. I will also guess that Livelink does not natively handle Digest authentication. Hence, to handle Digest authentication the Livelink Gateway needs to be able to convert the hashed username/password pair it receives from the client into a cleartext version of same, which it can then pass along to Livelink. The alternative is to change Livelink itself so it can handle Digest authentication. Then the gateway can call Livelink, pass the Digest credentials, and then get back a pass/fail result. However, this requires changing the API to Livelink, and requires that customers who add the Livelink Gateway must update Livelink as well. That all said, I'm not very much in favor of weakening the Digest authentication requirements. Trends on the Internet are towards greater security, and the recent rash of attacks on Web servers shows that the cracker community has an interest in breaking Web servers. I suspect that as DAV becomes more mainstream, it will in turn be a focus of attacks. I'd like for us to have a solid security infrastructure in place when this day comes. - Jim
Received on Tuesday, 16 October 2001 12:46:03 UTC