- From: Scott Lawrence <lawrence@agranat.com>
- Date: Wed, 07 Jan 1998 09:12:14 -0500
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
>>>>> "JF" == John Franks <john@math.nwu.edu> writes: >> We started Digest (does anyone remember "SimpleMD5"?) with a goal of >> eliminating cleartext passwords. That design goal was achieved ages >> ago. Since then we've added neat functionality to try to identify when >> the message has been modified or replayed. But without at least some message integrity protection the authentication credentials are meaningless. Granted, we cannot achieve complete integrity protection - for that you have to go to SSL/TLS or S-HTTP. JF> I have no problem with this. I think it does not break existing JF> implementations because the parts to be removed are optional. Let me take one more stab at this. My proposed change is that we remove the problematic headers from the entity digest calculation and replace them with the use of a client-generated nonce. The principle objection to this that I've heard is that it is not backward compatible with existing implementations. Fair enough. I would normally not suggest added complexity, but... the server can tell whether to use the RFC2069 version of the scheme or not by whether or not the client supplies a nonce. The client nonce would have to be transmitted to the server as an attribute of the Authorization header field anyway - if it is present, then the client does 'new' digest that uses it; if not, then it does RFC2069 style. -- Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com> Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Wednesday, 7 January 1998 06:26:50 UTC