RE: Digest mess from Josh Cohen on 1998-01-07 (ietf-http-wg@w3.org from January to March 1998)

From: Josh Cohen <joshco@microsoft.com>
Date: Tue, 6 Jan 1998 16:34:52 -0800
To: 'Dave Kristol' <dmk@bell-labs.com>, HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <21FD6499922DD111A4F600805FCCD6F2BC35E1@red-86-msg.dns.microsoft.com>

I agree.
(feel free to correct me if Im wrong..)
There seems to be a lot of other protocols
or efforts which depend on HTTP um, security.
By having digest, they meet the IETF security
requirements, and may proceed.
If digest fails or comes out of the spec, this 
will derail other efforts as well.
I know that we're supposed to avoid favoring
"process" over technical soundness, but in this
case, I dont think that applies.
We're not degrading the technical soundless of
digest if we do as Dave says, we're just reducing
the scope of digest to a more manageable task.
The task that Digest was originally intended for.

If the other functionality is deemed desireable,
it should proceed on its own.. These says
we seem to like saying "undock" alot..

Finally, its too late in the game to add such new
functionality.  If you balk at that and say
"existing functionality that we need to fix",
well, by the discussion so far it seems that
the work required is far beyond a simple fix.

My personal vote is to do as dave says, if thats
possible.



--
Josh Cohen <joshco@microsoft.com>
Program Manager - Internet Technologies 

> -----Original Message-----
> From: Dave Kristol [mailto:dmk@bell-labs.com]
> Sent: Tuesday, January 06, 1998 1:24 PM
> To: HTTP Working Group
> Subject: Re: Digest mess
> 
> 
> I'm becoming as despairing as everyone else about how to salvage
> Digest.  But before we totally "lose it", let me try to "return to those
> days of yesteryear".
> 
> We started Digest (does anyone remember "SimpleMD5"?) with a goal of
> eliminating cleartext passwords.  That design goal was achieved ages
> ago.  Since then we've added neat functionality to try to identify when
> the message has been modified or replayed.  Now, nonces can guard
> against replay.  I'll assert that the additions, to guard against header
> mucking, are misplaced:  if you want to assure message integrity, use
> something like SSL.  Yes, it's heavier weight, and you might like to get
> by with something cheaper.  But message integrity (and confidentiality)
> is what you get with SSL.
> 
> My summary:  let's return Digest to its original purpose, avoiding
> cleartext passwords.  Let's not try to impose on Digest capabilities for
> which it was not intended.
> 
> Hi, yo, Silver, away!
> 
> Dave Kristol
>

Received on Tuesday, 6 January 1998 16:38:10 UTC