- From: Eric W. Sink <eric@spyglass.com>
- Date: Tue, 24 Jan 1995 14:38:15 -0600
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: www-security@ns2.rutgers.edu
>In this connection, the www-security list may be the correct forum >to talk about the security aspects. Oh all right! :-) Readers of www-security: A discussion of a new authentication scheme for HTTP has broken out. We here at Spyglass have proposed a digest scheme based on MD5. You may peruse our ideas at: http://www/techreport/simple_aa.txt SimpleMD5 has been implemented in our client and in 2 servers, and works nicely as specified. Philip Hallam-Baker does not share our enthusiasm for our proposal, and has suggested something totally distinct but similar, the details of which are at: http://info.cern.ch/hypertext/WWW/Protocols/HTTP/digest_specification.html The Digest scheme has apparently also been implemented, as the code for it is available linked to the above page. Philip apparently recently posted the following list of priorities, all of which I agree with: > 1) We authenticate the message body > 2) All things being equal we make it as compatible with S-HTTP as possible > 3) The discussion of a security scheme for the Web take place on the mailing > list the IETF has been told is the official forum for such schemes. > 4) We get something out fast enough that it can be included in HTTP/1.1 and, giving the horse yet another kick, I add 5) Make the scheme as SIMPLE as possible, leaving the meatier issues to S-HTTP discussions. There is every reason to move toward consensus. Perhaps, through discussion with the readers of www-security, we can locate the appopriate blend of Philip's ideas and ours? -- Eric W. Sink eric@spyglass.com
Received on Tuesday, 24 January 1995 11:37:37 UTC