W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Tue, 23 Oct 2001 20:30:16 +0200
To: "Jim Whitehead" <ejw@cse.ucsc.edu>, <mtimmerm@opentext.com>, "'WebDAV'" <w3c-dist-auth@w3.org>
Message-ID: <NDBBKJABLJNMLJELONBKEEGFDBAA.stefan.eissing@greenbytes.de>
Now, are we having fun here or what?

I just scanned RFC 2617 for any MUST wording on digest authentication
and could not find any. The thing I found is in Ch. 4.1, 3rd paragraph:

  "Because Basic authentication involves the cleartext transmission
   of passwords it SHOULD NOT be used (without enhancements) to protect
   sensible or valuable information."

I think this is the way it should be stated for WebDAV as well, if it
must be stated at all.

//Stefan


> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Jim Whitehead
> Sent: Tuesday, October 23, 2001 8:04 PM
> To: mtimmerm@opentext.com; 'WebDAV'
> Subject: RE: Digest Authentication
>
>
> > You're saying that if I run my server in an environment that
> doesn't allow
> > me to present Digest in the WWW-Authenticate headers, then that's OK, as
> > long as there's a checkbox for Digest somewhere and I've unchecked it?
>
> Just thought of another example. The Apache server "supports" Digest
> authentication, even though the process of enabling it involves
> installing a
> new module (mod_auth_digest). In the case of Apache, it is possible to
> create a  server that does not have any Digest authentication code in the
> running server executable.
>
> Thus, Apache is an existence proof of "supporting" Digest, while not
> compromising security in environments where characteristics of the Digest
> implementation are unacceptable.
>
> - Jim
>
>
>
Received on Tuesday, 23 October 2001 14:29:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT