- From: Paul Leach <paulle@microsoft.com>
- Date: Tue, 20 Feb 96 11:00:01 PST
- To: fielding@avron.ICS.UCI.EDU, pjc@trusted.com
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Based on the comments about Digest when (I thnk it was Larry masinter) was asked that it be reviewed by the www-security list, and from the brief description that Peter included in his message, it appears that APOP authentication does not suffer from the replay attack that was present in the then current Digest design. ---------- ] From: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU> ] To: Peter J Churchyard <pjc@trusted.com> ] Cc: <http-wg!cuckoo.hpl.hp.com> ] Subject: Re: APOP - authentication.. ] Date: Tuesday, February 20, 1996 8:25AM ] ] > This document describes a simple authentication scheme for http that uses ] > the APOP mechanism as defined in RFC1725 Post Office Protocol - Version 3. ] ] It appears to be a weak subset of the Digest authentication mechanism ] already proposed and implemented on many HTTP systems. I don't see ] any reason why APOP can't be mapped into Digest and thus save the client ] from having to know more AA schemes than are necessary. ] ] ] ...Roy T. Fielding ] Department of Information & Computer Science (fielding@ics.uci.edu) ] University of California, Irvine, CA 92717-3425 fax:+1(714)824-4056 ] http://www.ics.uci.edu/~fielding/ ]
Received on Tuesday, 20 February 1996 13:38:09 UTC