- From: Alan Kent <ajk@mds.rmit.edu.au>
- Date: Fri, 26 Oct 2001 09:50:41 +1000
- To: w3c-dist-auth@w3.org
> > The standards group must choose a baseline that is both > > "secure enough" and "interoperable enough". So far, the group > > chose "must support Digest". If you change it to "must support > > Digest OR basic+SSL" on the server side, then you're mandating > > "must support Digest AND basic+SSL" on the client side. > > > > This is nice for server implementors but maybe not as nice for > > client implementors. > > > Thats a pretty good observation. However, i think digest > for server implementors is *hard* while digest for client > implementors is *easy*. For some of our sites, replace *hard* with *impossible*. We do not control the database of user names and passwords. We do not have access to the password, a hashed form of it, or anything. We can only supply details and get back details about the user. Period. For these sites it is impossible to support digest authentication. The customers in these cases *will not* accept having a second copy of the user database. They went to a lot of effort to get single sign on across the organisation. This is my problem, not WebDAV's. I just thought it was worth pointing out again. There was lots of discussion about how you can store hashed versions of the passwords and so its safer etc. However, in many large organisations there is a single group controlling authentication etc and they fight tooth and nail to keep that control - and often rightly so. If security is important, you have to keep your security db secure. Alan
Received on Thursday, 25 October 2001 19:51:15 UTC