Proposed new authentication scheme for HTTP

Recently, we proposed a simple authentication scheme, based on the MD5
algorithm, for possible inclusion in the discussed HTTP/1.1.

It has been suggested by Phillip Hallam-Baker that the scheme should
not use MD5, due to a known weakness.  He is suggesting the use of SHA
instead.  We would like to generate discussion on this, so that we can
move quickly toward consensus.

The choice need not be a difficult one.  This simple access
authentication scheme is not intended to be a solution to the entire
web-security need.  What we seek is a simple, but relatively secure
replacement for the Basic Access Authentication scheme in HTTP/1.0.

We chose MD5 primarily because code is widely available, in the belief
that it was strong enough for our target usage.  However, if there is
consensus that SHA would be an all-around better choice, we will revise
our proposal.

It is our intention to make source code for our scheme available as we
can do so.  Some software developers have already expressed enthusiasm
for helping with prototype implementations of the scheme.

The current draft of our proposal is located at:

http://www.spyglass.com/techreport/simple_aa.txt

Please send comments or responses to the http-wg list.

--
Eric W. Sink                    eric@spyglass.com
Jeffery L. Hostetler            jeff@spyglass.com
Spyglass, Inc.

Received on Tuesday, 10 January 1995 11:12:25 UTC