Re: potential security holes in digest authorization

"Phillip M. Hallam-Baker" <hallam@w3.org> wrote:

  > Concerning the tying of the username to the realm, this was a deliberate =
  > choice
  > on my part. If a user has the same username/password on multiple machines=
  >  a
  > system manager at one site could obtain access to the other if there was
  > nothing to differentiate them. Its a realm name and not the server name t=
  > o
  > permit multiple servers to share the same authentication data. What is mi=
  > ssing
  > is the requirement that the realm name should be an INTERNIC reserved one=
  > , eg
  > we could use w3.org or blink.w3.org. I think this prevents collisions in =
  > the
  > desired manner.
  [...]

I'm obviously missing something here concerning realms.  I've seen realms
used:
1) As a name in Web servers, to distinguish separately protected domains
of information.
2) As a component of the WWW-Authenticate response header.
3) As the prompt from a Web broswer for a user to authenticate him/herself.

I've argued (unsuccessfully, so far) that (1) and (3) should be separated.

Now Phillip seems to suggest that the realm should be something the
INTERNIC registers.  I don't understand why.  The client knows the
server it connected to, so presumably it can distinguish realm R on
server S1 from realm R on server S2.  If he's arguing that the server
name should be incorporated in the Digest method hash, in addition to
the realm, that's reasonable, provided both client and server agree on
what that name is.

Dave Kristol

Received on Wednesday, 26 July 1995 12:38:22 UTC