- From: Eric W. Sink <eric@spyglass.com>
- Date: Tue, 10 Jan 1995 14:16:58 -0600
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-talk@info.cern.ch
Recently, we proposed a simple authentication scheme, based on the MD5 algorithm, for possible inclusion in the discussed HTTP/1.1. It has been suggested by Phillip Hallam-Baker that the scheme should not use MD5, due to a known weakness. He is suggesting the use of SHA instead. We would like to generate discussion on this, so that we can move quickly toward consensus. The choice need not be a difficult one. This simple access authentication scheme is not intended to be a solution to the entire web-security need. What we seek is a simple, but relatively secure replacement for the Basic Access Authentication scheme in HTTP/1.0. We chose MD5 primarily because code is widely available, in the belief that it was strong enough for our target usage. However, if there is consensus that SHA would be an all-around better choice, we will revise our proposal. It is our intention to make source code for our scheme available as we can do so. Some software developers have already expressed enthusiasm for helping with prototype implementations of the scheme. The current draft of our proposal is located at: http://www.spyglass.com/techreport/simple_aa.txt Please send comments or responses to the http-wg list. -- Eric W. Sink eric@spyglass.com Jeffery L. Hostetler jeff@spyglass.com Spyglass, Inc.
Received on Tuesday, 10 January 1995 11:12:25 UTC