W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Tue, 16 Oct 2001 09:42:15 -0700
To: "WebDAV" <w3c-dist-auth@w3.org>
Message-ID: <AMEPKEBLDJJCCDEJHAMIMEBFDJAA.ejw@cse.ucsc.edu>
Geoff Clemm writes:
> Are you sure you are not confusing digest authentication with basic
> authentication?  With digest authentication, a server only needs to
> expose its passwords in a cryptographically secure hash-coded form.

I'm going to make an educated guess here. Since Dylan works on a DAV server
called  "Livelink Gateway", I suspect the architecture of this
implementation is a wrapper around an existing content management system,
Livelink. I will also guess that Livelink does not natively handle Digest
authentication. Hence, to handle Digest authentication the Livelink Gateway
needs to be able to convert the hashed username/password pair it receives
from the client into a cleartext version of same, which it can then pass
along to Livelink.

The alternative is to change Livelink itself so it can handle Digest
authentication. Then the gateway can call Livelink, pass the Digest
credentials, and then get back a pass/fail result. However, this requires
changing the API to Livelink, and requires that customers who add the
Livelink Gateway must update Livelink as well.

That all said, I'm not very much in favor of weakening the Digest
authentication requirements.  Trends on the Internet are towards greater
security, and the recent rash of attacks on Web servers shows that the
cracker community has an interest in breaking Web servers.  I suspect that
as DAV becomes more mainstream, it will in turn be a focus of attacks. I'd
like for us to have a solid security infrastructure in place when this day
comes.

- Jim
Received on Tuesday, 16 October 2001 12:46:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT