W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Resolving Digest authentication issue

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Fri, 2 Nov 2001 11:24:08 +0100
To: "Jim Whitehead" <ejw@cse.ucsc.edu>, <w3c-dist-auth@w3.org>
Message-ID: <NDBBKJABLJNMLJELONBKMEJADBAA.stefan.eissing@greenbytes.de>
Fine with me.

//Stefan

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Jim Whitehead
> Sent: Friday, November 02, 2001 2:53 AM
> To: w3c-dist-auth@w3.org
> Subject: Resolving Digest authentication issue
>
>
>
> Jason Crawford pointed out to me that we never resolved the Digest
> authentication issue, so let me take a stab at it. If you quibble with the
> wording below, don't just say you don't like it -- suggest some alternate
> wording.
>
> Dylan Barrel [1] and Alan Kent [2] describe the issues with supporting
> Digest authentication on the server, and their contention that support for
> Digest is unacceptable:
>
> [1] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0062.html
> [2] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0087.html
>
> I clarified the meaning of "supports Digest authentication" in [3]:
>
> [3] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0073.html
>
> I think Matt Timmerman's post [4] has the start of a solution:
>
> [4] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0080.html
>
> Thus, I propose the following authentication requirements:
>
> * Basic MUST NOT be used unless the connection is secure. Secure
> is defined
> to be TLS over the Internet, a physically secure network, or a network
> behind a well-administered firewall.
>
> Client requirements: MUST support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
> Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY
> RECOMMENDED
>
> * Digest SHOULD be used when the connection is insecure, such as a non-TLS
> connection over the Internet.
>
> Client requirements: MUST support Digest
> Server requirements: SHOULD support Digest, but it is acceptable
> for Digest
> authentication to be disabled by default. It SHOULD be possible for an
> administrator to configure a server to use Digest.
>
> * Additional authentication schemes beyond Basic and Digest MAY be
> supported, whether or not described in an IETF specification. Implementors
> should be aware that use of other authentication schemes guarantees some
> level of non-interoperation of that authentication scheme, since
> all WebDAV
> clients and servers cannot be expected to support that authentication
> scheme.
>
> So, for example, it's OK for people to support NTLM.
>
> * Finally, to guarantee some level of authentication will be possible: a
> server MUST at minimum support either Basic OR Digest. A server SHOULD
> support Basic AND Digest.
>
> Note that the terms MUST and SHOULD are being used as defined in RFC 2119:
>
> 1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that the
>    definition is an absolute requirement of the specification.
>
> 3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
>    may exist valid reasons in particular circumstances to ignore a
>    particular item, but the full implications must be understood and
>    carefully weighed before choosing a different course.
>
> For example, I would say that Dylan and Matt have carefully weighed the
> implications of Digest support, and so if they decided not to
> support Digest
> under the language above, this would meet the letter and the spirit of the
> proposed language.
>
> Comments?
>
> - Jim
>
>
>
Received on Friday, 2 November 2001 05:23:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:58 GMT