Re: Digest Authentication Challenge Ordering

Ronald.Tschalaer@psi.ch wrote:
> [...]
> Heck, they're buggy even with respect to rfc-1945. However, I feel we
> should try and find a solution because otherwise I fear deployment of
> Digest might be hampered too much.
> 
> Let me explain why I see a problem. As a webmaster I'd like to set up
> protectecd areas such that if the browser supports Digest it will use
> Digest, else it will use Basic. Implicit in this is the emphasis that
> this should work with the current (broken) browsers. Now, going by the
> current authentication spec this would mean the server must send
> 
> WWW-Authenticate: Digest ..., Basic ...
> 
> However, because this breaks most currently used browsers I have to
> instead configure
> 
> WWW-Authenticate: Basic ..., Digest ...
> 
> But unfortunately this then means that _all_ browsers (including the
> ones implementing the current auth spec) will use Basic too - no one
> will use Digest. This means we have no reasonable upgrade path and I
> believe this will therefore definitely hamper the demployment of
> Digest.

I think I made similar observations as far back as when Digest was
"SimpleMD5".

> 
> I see basically three solutions (ignoring the q-value approach given
> by Patrick because I don't see how to do it without breaking current
> browsers):

> [Description of three options, plus commentary, deleted.]

Expressing preferences with "least-preferred-first" does seem to be an
elegant solution.  Unfortunately, we remain at the mercy of the browser
implementation.  We (webmasters) are relying on the user agent to "do
the right thing" and choose the more secure authentication method.  If
Digest Auth is a required part of HTTP/1.1 (clients), then it's possible
to test whether the client complies (by sending Basic and Digest
challenges and looking for the Digest response).  In that case I would
support "least-preferred-first".

Dave Kristol

Received on Friday, 31 July 1998 10:32:39 UTC