- From: John Franks <john@math.nwu.edu>
- Date: Tue, 6 Jan 1998 14:35:33 -0600 (CST)
- To: Scott Lawrence <lawrence@agranat.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Tue, 6 Jan 1998, Scott Lawrence wrote: > > All existing implementations (mine included) are already broken - we > have established that. They will not work on the real Internet in > the face of proxies. No backward-compatible solution exists. Like > it or not, we are talking about a new scheme now that happens to > share as much as possible with the old one, but lacks the problem > with proxies. I see no alternative to admitting that, changing the > scheme identifier and going ahead. > Existing implementations which do not implement the optional features of digest authentication (e.g. Apache) are NOT broken. They work fine on the real Internet today, even in the face of proxies. They meet the need for a replacement to Basic authentication. Solutions backward compatible with them which fix the problems with optional features exist. On the other hand, we could simply eliminate all optional features from digest and you and other interested parties could start work on "digest-ng." > .. it failed purely due to a flaw in the protocol - the fact that > we used [header] values that may be changed. We > can (I think...) design the > protocol to not use those values so that an innocent change in a > proxy does not affect the authentication. > Certainly such a protocol can be designed. However, we have some evidence that it would not be interesting to at least one major browser implementor as long as arbitrary headers are not digested. I suspect you would be back to one hand clapping. Digest without the optional features would also be uninteresting to them for the same reason. John Franks john@math.nwu.edu
Received on Tuesday, 6 January 1998 12:38:30 UTC