- From: Jeff Hostetler <jeff@rafiki.spyglass.com>
- Date: Wed, 20 Dec 95 11:58:23 -0600
- To: "Phillip M. Hallam-Baker" <hallam@w3.org>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, stefek_zaba@hplb.hpl.hp.com, spowers@ncsa.uiuc.edu, hopmann@holonet.net, jeff@fido.spyglass.com
> At the IETF HTTP-WG it was agreed to form sub-groups on a number of issues
> including Digest Authentication in HTTP. I would like to request anyone with
> objections to Jeff Hosteltler's draft (now expired) to make them known in the
> next three weeks - say January 10th?
>
> I would ask Jeff to resubmit the draft so that we can know what the proposal
> is.
by popular request, we are in the process of resubmitting the draft.
it should be available tomorrow. i think jan 10 is a good goal.
> To revise people's memories Digest authentication allows a user to demonstrate
> that they know a password without sending it over the Internet in a form that
> can be decrypted. It does require servers to keep authentication databases
> which are sensitive in that any compromise to them will compromise their
> security ass access codes. This is the best that can be done without using
> public key however. The UNIX method of storing passwords means that passwords
> have to be sen over the network in the clear. digest Authentication is
> effectively providing Kerberos type security without a mediator.
>
> There are a few outstanding issues:
>
> 1) Should we include a mediated form of the authentication?
>
> 2) Should we specify a mechanism for defining new Keyed Digest algorithms?
>
> 3) Is Kerberos integration a practical proposition?
i think we should leave these ideas for another authentication scheme.
the orignal goal of Digest was that we can do significantly better
than Basic with a near-trival set of changes. we went from practically
no security [uuencode("username:password")] to something with some nice
properties while retaining the existing (2 party) web-model. we were
also able to keep it free of patents and royalties and fully exportable
and (probably) importable. i think we should be happy with it as is.
> 4) The syntax of the WWW-Authenticate: field is peculiar.
yes, let's discuss this in the sub-group. whether we change the syntax
or not, there's a definite need to improve the wording and eliminate
some ambiguity.
> We now have 2 entirely independent implementations, one in Spyglasses deployed
> prducts and another in the Common Lisp Web server. Since both of those products
> tend to get distributed on CD-ROMS there had better be a good reason behind any
> proposed changes.
FYI, NCSA, John Franks, and David Kristol also have implementations.
are there any others ??
jeff hostetler
spyglass, inc.
Received on Wednesday, 20 December 1995 10:04:08 UTC