W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1996

Authenticated Transactions: Why Wait Another Year?

From: John C. Mallery <jcma@ai.mit.edu>
Date: Sun, 8 Sep 1996 23:59:04 -0400
Message-Id: <v03007800ae5940e2b8b3@[]>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/1563
My main complaint about digest authentication is that it should
not just authenticate the user but also authenticate the entire http
transaction.  The current specification is vulnerable to man in the middle

This can be fixed by adding the following two items:

	1. a digest header on the server responses that hashes the request,
	the secret etc with the response code.

	2. digest headers whenever an entity is transfered in this
	mode so we know we're really getting the right bits.

These digest headers need to incorporate a surrogate for the transaction ID
into the hash to protect against short-window replay attacks.

These changes give a big payoff: authenticated transactions with exportable technology.

I'm surprised this was not already included in the digest draft, as it
is a rather glaring omission once one gets base64 authentication off the brain.
Received on Tuesday, 10 September 1996 03:41:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:16:20 UTC