Re: Digest mess

>>>>> "JF" == John Franks <> writes:

>> We started Digest (does anyone remember "SimpleMD5"?) with a goal of
>> eliminating cleartext passwords.  That design goal was achieved ages
>> ago.  Since then we've added neat functionality to try to identify when
>> the message has been modified or replayed.

  But without at least some message integrity protection the
  authentication credentials are meaningless.  Granted, we cannot
  achieve complete integrity protection - for that you have to go to

JF> I have no problem with this.  I think it does not break existing
JF> implementations because the parts to be removed are optional.

  Let me take one more stab at this.

  My proposed change is that we remove the problematic headers from
  the entity digest calculation and replace them with the use of a
  client-generated nonce.

  The principle objection to this that I've heard is that it is not
  backward compatible with existing implementations.  Fair enough.

  I would normally not suggest added complexity, but... the server can
  tell whether to use the RFC2069 version of the scheme or not by
  whether or not the client supplies a nonce.  The client nonce would
  have to be transmitted to the server as an attribute of the
  Authorization header field anyway - if it is present, then the
  client does 'new' digest that uses it; if not, then it does RFC2069

Scott Lawrence           EmWeb Embedded Server       <>
Agranat Systems, Inc.        Engineering  

Received on Wednesday, 7 January 1998 06:26:50 UTC