- From: <hallam@ai.mit.edu>
- Date: Thu, 29 Aug 96 10:45:15 -0400
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: hallam@ai.mit.edu
>The problem here may be that no one actually *uses* digest auth. The >problem is that these servers don't let you use both together. This is >because both servers (indeed, pretty much all Unix HTTP servers that I >know of) store Basic passwords crypted. This makes them unusable for >Digest auth's purposes, which either needs the passwords in the clear or >hashed. So the vast installed base of installed authentication cannot use >digest (except in specific, intranet-like cases, where you are assured >that the user is capable of supporting digest auth). This is unfortunate. The design of DIGEST deliberately made it possible to share a database for both purposes - if absolutely necessary. No server should ever be storing the passwords used by DIGEST, all that is necessary is the one way function hashed key. The one way hash used by DIGEST is much stronger than that used by the UNIX password format. There is no cryptographic reason to prefer the UNIX format. The reason why nobody is using DIGEST is because of clients which do not. Phill
Received on Thursday, 29 August 1996 07:44:37 UTC