W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Tue, 23 Oct 2001 11:04:08 -0700
To: <mtimmerm@opentext.com>, "'WebDAV'" <w3c-dist-auth@w3.org>
Message-ID: <AMEPKEBLDJJCCDEJHAMIIEKPDJAA.ejw@cse.ucsc.edu>
> You're saying that if I run my server in an environment that doesn't allow
> me to present Digest in the WWW-Authenticate headers, then that's OK, as
> long as there's a checkbox for Digest somewhere and I've unchecked it?

Just thought of another example. The Apache server "supports" Digest
authentication, even though the process of enabling it involves installing a
new module (mod_auth_digest). In the case of Apache, it is possible to
create a  server that does not have any Digest authentication code in the
running server executable.

Thus, Apache is an existence proof of "supporting" Digest, while not
compromising security in environments where characteristics of the Digest
implementation are unacceptable.

- Jim
Received on Tuesday, 23 October 2001 14:08:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT