Re: Experimental implementation of SimpleMD5

>In this connection, the www-security list may be the correct forum
>to talk about the security aspects.

Oh all right! :-)

Readers of www-security:

A discussion of a new authentication scheme for HTTP has broken out.  We
here at Spyglass have proposed a digest scheme based on MD5.  You may
peruse our ideas at:


SimpleMD5 has been implemented in our client and in 2 servers, and works
nicely as specified.

Philip Hallam-Baker does not share our enthusiasm for our proposal, and has
suggested something totally distinct but similar, the details of which are

The Digest scheme has apparently also been implemented, as the code for it
is available linked to the above page.

Philip apparently recently posted the following list of priorities, all of
which I agree with:

> 1) We authenticate the message body
> 2) All things being equal we make it as compatible with S-HTTP as possible
> 3) The discussion of a security scheme for the Web take place on the mailing
>       list the IETF has been told is the official forum for such schemes.
> 4) We get something out fast enough that it can be included in HTTP/1.1

and, giving the horse yet another kick, I add

5) Make the scheme as SIMPLE as possible, leaving the meatier issues to
S-HTTP discussions.

There is every reason to move toward consensus.  Perhaps, through
discussion with the readers of www-security, we can locate the appopriate
blend of Philip's ideas and ours?

Eric W. Sink

Received on Tuesday, 24 January 1995 11:37:37 UTC