W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

RE: Digest mess

From: Yaron Goland <yarong@microsoft.com>
Date: Tue, 6 Jan 1998 22:37:49 -0800
Message-Id: <3FF8121C9B6DD111812100805F31FC0D0E71FB@red-msg-59.dns.microsoft.com>
To: Josh Cohen <joshco@microsoft.com>, 'Dave Kristol' <dmk@bell-labs.com>, HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5099
I believe this would be sufficient for DAV's immediate needs. Our main goal
is to get beyond clear text passwords. I admit to having gotten caught up in
the "let us fix digest" fury. HTTP needs a message oriented single key based
authentication and encryption system but digest isn't it and shouldn't be
beaten into it. Let us just get rid of clear text passwords, declare
victory, and go home. We can come back later to solve the rest of the
world's problems.


> -----Original Message-----
> From:	Josh Cohen 
> Sent:	Tuesday, January 06, 1998 4:35 PM
> To:	'Dave Kristol'; HTTP Working Group
> Subject:	RE: Digest mess
> I agree.
> (feel free to correct me if Im wrong..)
> There seems to be a lot of other protocols
> or efforts which depend on HTTP um, security.
> By having digest, they meet the IETF security
> requirements, and may proceed.
> If digest fails or comes out of the spec, this 
> will derail other efforts as well.
> I know that we're supposed to avoid favoring
> "process" over technical soundness, but in this
> case, I dont think that applies.
> We're not degrading the technical soundless of
> digest if we do as Dave says, we're just reducing
> the scope of digest to a more manageable task.
> The task that Digest was originally intended for.
> If the other functionality is deemed desireable,
> it should proceed on its own.. These says
> we seem to like saying "undock" alot..
> Finally, its too late in the game to add such new
> functionality.  If you balk at that and say
> "existing functionality that we need to fix",
> well, by the discussion so far it seems that
> the work required is far beyond a simple fix.
> My personal vote is to do as dave says, if thats
> possible.
> --
> Josh Cohen <joshco@microsoft.com>
> Program Manager - Internet Technologies 
> > -----Original Message-----
> > From: Dave Kristol [mailto:dmk@bell-labs.com]
> > Sent: Tuesday, January 06, 1998 1:24 PM
> > To: HTTP Working Group
> > Subject: Re: Digest mess
> > 
> > 
> > I'm becoming as despairing as everyone else about how to salvage
> > Digest.  But before we totally "lose it", let me try to "return to those
> > days of yesteryear".
> > 
> > We started Digest (does anyone remember "SimpleMD5"?) with a goal of
> > eliminating cleartext passwords.  That design goal was achieved ages
> > ago.  Since then we've added neat functionality to try to identify when
> > the message has been modified or replayed.  Now, nonces can guard
> > against replay.  I'll assert that the additions, to guard against header
> > mucking, are misplaced:  if you want to assure message integrity, use
> > something like SSL.  Yes, it's heavier weight, and you might like to get
> > by with something cheaper.  But message integrity (and confidentiality)
> > is what you get with SSL.
> > 
> > My summary:  let's return Digest to its original purpose, avoiding
> > cleartext passwords.  Let's not try to impose on Digest capabilities for
> > which it was not intended.
> > 
> > Hi, yo, Silver, away!
> > 
> > Dave Kristol
> > 
Received on Tuesday, 6 January 1998 22:40:42 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC