RE: I command you to support Digest!!! from Larry Masinter on 2001-10-26 (w3c-dist-auth@w3.org from October to December 2001)

From: Larry Masinter <LMM@acm.org>
Date: Thu, 25 Oct 2001 19:37:56 -0700
To: "Jason Crawford" <ccjason@us.ibm.com>
Cc: <w3c-dist-auth@w3.org>
Message-ID: <NDBBKEBDLFENBJCGFOIJMEOPFMAA.LMM@acm.org>

Jason Crawford asked:
>    Are you expressing a preference for any particular approach with your
> posting below?

I'm trying to give some guidance about the basic rules
of standards making in the IETF:

a) the standard should assure interoperability
b) the standard should require implementation of
   security adequate for its stated purpose
c) standards should avoid requiring implementation of
  patented technologies 

For WebDAV, the stated purpose is "web distributed
authoring". Other uses, like for software configuration
management or accessing exchange mailboxes, are fine,
but they're not the stated purpose.


Saying "authentication must be used" doesn't assure interoperability,
because the clients might not implement the authentication
mechanism that the server requires. Requiring that
"the authentication method used must not have passwords
in the clear" doesn't help.

I think what RFC 2518 says is that WebDAV clients
must USE digest authentication for authentication.

(a) means that if you have a compliant client and
a compliant server, they should work together.
Letting servers implement basic with SSL only
without requiring clients to implement basic
with SSL means you wouldn't have interoperability.
Requiring clients to implement SSL means (I think)
that you're requiring them to implement patented
technology. Not requiring any security means that
you break (b).



>    If not, what would you suggest that the spec say?  (Feel free 
> to post to the list and guide the resolution of this.)

I think RFC 2518's "MUST support digest" meets the criteria
above, especially if you interpret "support" to mean
"actually use as an access authentication method".

I suggest that the spec stay as it is in RFC 2518 unless
you can come up with something that everyone agrees
(1) it's better, and (2) it also meets the criteria.


>    Also, do you know if the powers that be would accept us either saying
> nothing beyond the fact that authentication should be used? 

No, because of (a); it doesn't guarantee interoperability

> If not, would
> they accept it if we additionally specify that the authentication schemes
> used avoid sending privledged info in the clear?

It still doesn't guarantee interoperability.

Received on Thursday, 25 October 2001 22:39:33 UTC