Re: Netscape vs. Digest

On Tue, 27 Aug 1996, Lou Montulli wrote:

> > 
> > Daniel DuBois <dan@spyglass.com> wrote:
> > 
> > >"SHOULD" is clearly not going to get Netscape to support Digest.
> > > The only thing that we can *hope*
> > >will get Netscape to support Digest is the threat of slapping "HTTP/1.1
> > >uncompliant" on them publicly and hope it shames them into supporting it.
> > >
> > 
> 
> At this point there isn't any good reason to add such a weak
> authorization scheme when certificates are available already.
> 
> Why would you ever want to use digest if you already have
> certificate support?
> 

   1. It's freely exportable with no license restrictions.
   2. There are no patent entanglements.
   3. SSL has a significant performance cost.
   4. Certificates don't work very well in environments where
      users use many different computers (kiosks).

Actually, I like SSL and certificates a lot, and I think that Netscape
should be commended for making the spec and reference implementations
available.  There is no question that SSL is a "good thing" and I
think you deserve a lot of credit for creating it and contributing it
to the net community.  But SSL doesn't solve all problems optimally.

The biggest problem is the continued widespread use of Basic
Authentication which results in transmission of unencrypted passwords.
The danger isn't so much sniffing -- it's that users have a strong
tendency to use one password for everything.  This makes it easy for
an unscrupulous person to ask for "registration" and collect
passwords.

Digest was never intended as strong authorization -- merely as something
to get rid of Basic.

Frankly, I would be happy even if Netscape doesn't support digest, if
they would also remove support of Basic Authentication.  I think this
would be HTTP/1.1 compliant and would also be consistent with your
view that SSL meets all authentication needs.

John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu

Received on Tuesday, 27 August 1996 13:57:38 UTC