- From: Dave Kristol <dmk@bell-labs.com>
- Date: Tue, 06 Jan 1998 16:23:53 -0500
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
I'm becoming as despairing as everyone else about how to salvage Digest. But before we totally "lose it", let me try to "return to those days of yesteryear". We started Digest (does anyone remember "SimpleMD5"?) with a goal of eliminating cleartext passwords. That design goal was achieved ages ago. Since then we've added neat functionality to try to identify when the message has been modified or replayed. Now, nonces can guard against replay. I'll assert that the additions, to guard against header mucking, are misplaced: if you want to assure message integrity, use something like SSL. Yes, it's heavier weight, and you might like to get by with something cheaper. But message integrity (and confidentiality) is what you get with SSL. My summary: let's return Digest to its original purpose, avoiding cleartext passwords. Let's not try to impose on Digest capabilities for which it was not intended. Hi, yo, Silver, away! Dave Kristol
Received on Tuesday, 6 January 1998 13:37:40 UTC