W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Dylan Barrell <dbarrell@opentext.com>
Date: Tue, 16 Oct 2001 14:36:56 -0400
To: "Dirk-Willem van Gulik" <dirkx@webweaving.org>
Cc: "WebDAV" <w3c-dist-auth@w3.org>
Message-ID: <NEBBIBDBCLDPAGPIKGMCGEBJEEAA.dbarrell@opentext.com>
We did think of this solution, but that means that we always have to use the
same nonce value and we end up getting no security improvement over basic
authentication - so the argument that it is more secure than basic is bogus
if you do this.

--Dylan

> -----Original Message-----
> From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
> Sent: Tuesday, October 16, 2001 2:02 PM
> To: Dylan Barrell
> Cc: WebDAV
> Subject: Re: Digest Authentication
>
>
>
>
> On Tue, 16 Oct 2001, Dylan Barrell wrote:
>
> > Digest Authentication requires that a server store its
> passwords in such a
> > way that they be available in clear text format.
>
> Actually though your implementation -could- store the password on disk as
> plain text - most do not; and it is technically not required. Some bad
> implementations do store it plain - but (for example) the apache web
> server stores the password as a hash (md5 or crypt) on the server side.
>
> See http://cvs.apache.org -> apache-1.3 -> src/support/htpasswd.c and
> src/support/htdigest.c to get an idea of the code).
>
> So it is not a requirement - just an implementation choise.
>
> It is true that with normal basic auth the password goes over the wire in
> the clear; but with digest auth this is not the case.
>
> Dw
Received on Tuesday, 16 October 2001 14:38:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT