- From: Dylan Barrell <dbarrell@opentext.com>
- Date: Tue, 16 Oct 2001 14:36:56 -0400
- To: "Dirk-Willem van Gulik" <dirkx@webweaving.org>
- Cc: "WebDAV" <w3c-dist-auth@w3.org>
We did think of this solution, but that means that we always have to use the same nonce value and we end up getting no security improvement over basic authentication - so the argument that it is more secure than basic is bogus if you do this. --Dylan > -----Original Message----- > From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org] > Sent: Tuesday, October 16, 2001 2:02 PM > To: Dylan Barrell > Cc: WebDAV > Subject: Re: Digest Authentication > > > > > On Tue, 16 Oct 2001, Dylan Barrell wrote: > > > Digest Authentication requires that a server store its > passwords in such a > > way that they be available in clear text format. > > Actually though your implementation -could- store the password on disk as > plain text - most do not; and it is technically not required. Some bad > implementations do store it plain - but (for example) the apache web > server stores the password as a hash (md5 or crypt) on the server side. > > See http://cvs.apache.org -> apache-1.3 -> src/support/htpasswd.c and > src/support/htdigest.c to get an idea of the code). > > So it is not a requirement - just an implementation choise. > > It is true that with normal basic auth the password goes over the wire in > the clear; but with digest auth this is not the case. > > Dw
Received on Tuesday, 16 October 2001 14:38:21 UTC