- From: <rlgray@raleigh.ibm.com>
- Date: Tue, 16 Dec 1997 13:45:56 EST
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
** Reply to note from "Roy T. Fielding" <fielding@kiwi.ics.uci.edu> Tue, 16 Dec 1997 00:40:30 -0800 As a server implementer, let me point out that our problem with implementing it has little, if anything, to do with the complexity of the protocol or featuritis. The basic (err, pun intended) problem we have is that we have an installed base using existing password files, which store one-way derivatives of the passwords. There is NO way to get the plaintext password or H(A1) (as suggested in the digest draft) from these databases. Not all of the databases available to use for authentication use the same algorithms to store the passwords. So, for Digest to be even remotely interesting, we would need the browser to build H(A1) from the password derivative, not the plaintext password itself. And this only works for a subset of the databases available (i.e. the ones we administer, not necessarily the system ones). Digest also breaks with 3rd party authentication schemes such as Kerberos. (I think somebody already pointed this out) Our users who care about passwords flowing in the clear use SSL. Richard L. Gray will code for chocolate
Received on Tuesday, 16 December 1997 10:47:35 UTC