W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Date: Wed, 17 Oct 2001 04:45:38 +0200 (CEST)
To: Dylan Barrell <dbarrell@opentext.com>
cc: WebDAV <w3c-dist-auth@w3.org>
Message-ID: <Pine.BSF.4.05.10110170432570.7001-100000@kim.ispra.webweaving.org>


On Tue, 16 Oct 2001, Dylan Barrell wrote:

Please check RFC2617. This issue was noted during the design of the digest
method and effectively addressed.

Or in other words: As long as the hash over the username/real/password is
known to the server - any nonce can be used. See

	http://httpd.apache.org/docs/mod/mod_auth_digest.html

and it's source for what and how.

Dw

> We did think of this solution, but that means that we always have to use the
> same nonce value and we end up getting no security improvement over basic
> authentication - so the argument that it is more secure than basic is bogus
> if you do this.
> 
> --Dylan
> 
> > -----Original Message-----
> > From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
> > Sent: Tuesday, October 16, 2001 2:02 PM
> > To: Dylan Barrell
> > Cc: WebDAV
> > Subject: Re: Digest Authentication
> >
> >
> >
> >
> > On Tue, 16 Oct 2001, Dylan Barrell wrote:
> >
> > > Digest Authentication requires that a server store its
> > passwords in such a
> > > way that they be available in clear text format.
> >
> > Actually though your implementation -could- store the password on disk as
> > plain text - most do not; and it is technically not required. Some bad
> > implementations do store it plain - but (for example) the apache web
> > server stores the password as a hash (md5 or crypt) on the server side.
> >
> > See http://cvs.apache.org -> apache-1.3 -> src/support/htpasswd.c and
> > src/support/htdigest.c to get an idea of the code).
> >
> > So it is not a requirement - just an implementation choise.
> >
> > It is true that with normal basic auth the password goes over the wire in
> > the clear; but with digest auth this is not the case.
> >
> > Dw
> 
Received on Tuesday, 16 October 2001 22:45:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT