Digest Authentication. Moving towards last call... from Phillip M. Hallam-Baker on 1995-12-19 (ietf-http-wg@w3.org from October to December 1995)

From: Phillip M. Hallam-Baker <hallam@w3.org>
Date: Tue, 19 Dec 95 16:26:38 -0500
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, jeff@spyglass.com, stefek_zaba@hplb.hpl.hp.com, spowers@ncsa.uiuc.edu, hopmann@holonet.net
Message-Id: <9512192126.AA24065@www18.w3.org>

At the IETF HTTP-WG it was agreed to form sub-groups on a number of issues
including Digest Authentication in HTTP. I would like to request anyone with
objections to Jeff Hosteltler's draft (now expired) to make them known in the
next three weeks - say January 10th?

I would ask Jeff to resubmit the draft so that we can know what the proposal
is. 

To revise people's memories Digest authentication allows a user to demonstrate
that they know a password without sending it over the Internet in a form that
can be decrypted. It does require servers to keep authentication databases
which are sensitive in that any compromise to them will compromise their
security ass access codes. This is the best that can be done without using
public key however. The UNIX method of storing passwords means that passwords
have to be sen over the network in the clear. digest Authentication is
effectively providing Kerberos type security without a mediator.

There are a few outstanding issues:

1) Should we include a mediated form of the authentication?

2) Should we specify a mechanism for defining new Keyed Digest algorithms?

3) Is Kerberos integration a practical proposition?

4) The syntax of the WWW-Authenticate: field is peculiar.


We now have 2 entirely independent implementations, one in Spyglasses deployed
prducts and another in the Common Lisp Web server. Since both of those products
tend to get distributed on CD-ROMS there had better be a good reason behind any
proposed changes.

The mood at the IETF was that a subgroup go off and nail down the remaining
questions and get Digest Auth rolled out ASAP. Hence the need for comments
ASAP. 

Appologies for not getting to this sooner after the IETF, I have been busy with
WWW4 which came the following week.


-- 
Phillip M. Hallam-Baker            Not speaking for anoyone else
hallam@w3.org http://www.w3.org/hypertext/WWW/People/hallam.html
Information Superhighway -----> Hi-ho! Yow! I'm surfing Arpanet!

Received on Tuesday, 19 December 1995 13:30:14 UTC