Re: APOP - authentication..

Based on the comments about Digest when (I thnk it was Larry masinter)  
was asked that it be reviewed by the www-security list,  and from the brief
description that Peter included in his message, it appears
that APOP authentication does not suffer from the replay
attack that was present in the then current Digest design.
----------
] From: "Roy T. Fielding"  <fielding@avron.ICS.UCI.EDU>
] To: Peter J Churchyard  <pjc@trusted.com>
] Cc:  <http-wg!cuckoo.hpl.hp.com>
] Subject: Re: APOP - authentication..
] Date: Tuesday, February 20, 1996 8:25AM
]
] > This document describes a simple authentication scheme for http that uses
] > the APOP mechanism as defined in RFC1725 Post Office Protocol - Version 3.
]
] It appears to be a weak subset of the Digest authentication mechanism
] already proposed and implemented on many HTTP systems.  I don't see
] any reason why APOP can't be mapped into Digest and thus save the client
] from having to know more AA schemes than are necessary.
]
]
]  ...Roy T. Fielding
]     Department of Information & Computer Science    (fielding@ics.uci.edu)
]     University of California, Irvine, CA 92717-3425    fax:+1(714)824-4056
]     http://www.ics.uci.edu/~fielding/
] 

Received on Tuesday, 20 February 1996 13:38:09 UTC