W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

Re: Interop issue: how can clients force authentication?

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Wed, 18 Sep 2002 10:32:38 +0200
Cc: "'Ilya Kirnos'" <ilya.kirnos@oracle.com>, "'Julian Reschke'" <julian.reschke@gmx.de>, "'Webdav WG'" <w3c-dist-auth@w3c.org>
To: "Lisa Dusseault" <lisa@xythos.com>
Message-Id: <308FC293-CAE1-11D6-9F78-00039384827E@greenbytes.de>


Am Mittwoch den, 18. September 2002, um 04:10, schrieb Lisa Dusseault:

> [...]
> Can anybody come up with other clever ways for the client to try to
> authenticate?  E.g. is it possible for a client to send a reasonable
> Digest authentication header with its first request (probably a
> PROPFIND, but whatever method happens to be first), and if the
> information therein (e.g. realm) is bad, the server responds with the
> WWW-Authenticate header with the correct prompting?  That doesn't quite
> solve Ilya's performance problem, but perhaps the HTTP 1.1. Continue
> mechanism would solve that specific issue.

As someone on the list already pointed out, the client cannot
guess a valid Digest Authentication header. It's one main strength
of digest authentication that the client is not able to do this.
Otherwise an attacker might be able to use a replay attack.

I'm not sure however what a server will do upon seeing a nonsense
Authenticate header from the client. Will it always send a challenge
back? (Unfortunately we cannot make this a requirement in WebDAV
since this belongs in another RFC).

//Stefan
Received on Wednesday, 18 September 2002 04:32:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT