- From: John Franks <john@math.nwu.edu>
- Date: Wed, 3 Jan 1996 21:31:35 -0600 (CST)
- To: "Donald E. Eastlake 3rd" <dee@cybercash.com>
- Cc: Larry Masinter <masinter@parc.xerox.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Wed, 3 Jan 1996, Donald E. Eastlake 3rd wrote: > On Wed, 3 Jan 1996, Larry Masinter wrote: > > > I'm just trying to figure out how to deal with 'Digest Authentication' > > in the face of claims that the mechanism has well known holes and > > limitations. Here are the procedural options, as far as I can see > > them: > > > > 1- Submit as Proposed standard as part of HTTP/1.1 > > 2- Submit as Proposed standard as a separate document > > 3- Submit as Informational, as part of HTTP/1.0 > > 4- Submit as Informational, as a separate document > > 5- Don't handle as part of IETF > > I can't see anything wrong with having a spectrum of solutions that > meet a spectrum of threat environments. Security need not be > perfect to be useful. > I agree. That is the point. > > So, I'm leaning toward option 4 or 5. With option 4, it is likely that > > if you submit it in the current form, the IESG would either add or > > require the authors to add appropriate disclaimers as to how Digest > > Authentication might not add significant additional security above and > > beyond Basic Authentication. > > Seems only reasonable to tell people what they are getting with an > autentication scheme but the judgement that its effectivley the same > as Basic in strength in only true for cerain threat environments. > Has anyone suggested that digest authentication is effectively the same as Basic? I have followed this thread closely and surely missed that if it was suggested. I just reread the message from Allan Schiffman and he did not say this. I think that Digest is dramatically better than Basic, albeit, still not perfect and not as strong as a much more complex scheme would be. The biggest problem with Basic is that passwords are effectively sent in the clear. Many naive users tend out of laziness to use the same password for both sensitive and non-sensitive accounts. Such a person might well use their login password for access to, say, HotWired member activities. Their accounts can then comprised by anyone with a sniffer. Digest authentication is certainly inappropriate for banking transactions. But it is plenty adequate for HotWired membership and similar activities. If we toss out Digest authentication now then at some future time we could well regret leaving open the gaping hole that Basic authentication represents. John Franks
Received on Wednesday, 3 January 1996 19:38:54 UTC