W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

Re: I command you to support Digest!!!

From: Alan Kent <ajk@mds.rmit.edu.au>
Date: Fri, 26 Oct 2001 09:50:41 +1000
To: w3c-dist-auth@w3.org
Message-ID: <20011026095041.A25386@io.mds.rmit.edu.au>
> > The standards group must choose a baseline that is both
> > "secure enough" and "interoperable enough". So far, the group
> > chose "must support Digest". If you change it to "must support
> > Digest OR basic+SSL" on the server side, then you're mandating
> > "must support Digest AND basic+SSL" on the client side.
> >
> > This is nice for server implementors but maybe not as nice for
> > client implementors.
> >
> Thats a pretty good observation.  However, i think digest
> for server implementors is *hard* while digest for client
> implementors is *easy*.

For some of our sites, replace *hard* with *impossible*.
We do not control the database of user names and passwords.
We do not have access to the password, a hashed form of it,
or anything. We can only supply details and get back details
about the user. Period. For these sites it is impossible to support
digest authentication. The customers in these cases *will not*
accept having a second copy of the user database. They went
to a lot of effort to get single sign on across the organisation.

This is my problem, not WebDAV's. I just thought it was worth
pointing out again. There was lots of discussion about how
you can store hashed versions of the passwords and so its safer
etc. However, in many large organisations there is a single
group controlling authentication etc and they fight tooth
and nail to keep that control - and often rightly so. If
security is important, you have to keep your security db
secure.

Alan
Received on Thursday, 25 October 2001 19:51:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT