- From: John Franks <john@math.nwu.edu>
- Date: Tue, 6 Jan 1998 20:26:14 -0600 (CST)
- To: Dave Kristol <dmk@bell-labs.com>
- Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
On Tue, 6 Jan 1998, Dave Kristol wrote: > We started Digest (does anyone remember "SimpleMD5"?) with a goal of > eliminating cleartext passwords. That design goal was achieved ages > ago. Since then we've added neat functionality to try to identify when > the message has been modified or replayed. > [snip] > My summary: let's return Digest to its original purpose, avoiding > cleartext passwords. Let's not try to impose on Digest capabilities for > which it was not intended. > A number of others have echoed this sentiment. There may be an emerging consensus to undock all the entity-digest and Authentication-info parts of the current digest specification, leaving digest as a simple replacement for Basic authentication with precisely the same functionality, but with the elimination of cleartext passwords. I have no problem with this. I think it does not break existing implementations because the parts to be removed are optional. This would then allow interested parties to pursue "digest-ng" which could be incompatible and in particular could authenticate the server to the client by the use of client nonces. It could also deal with the issues of digesting headers. John Franks john@math.nwu.edu
Received on Tuesday, 6 January 1998 18:38:51 UTC