RE: Digest mess from Paul Leach on 1998-01-07 (ietf-http-wg@w3.org from January to March 1998)

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 7 Jan 1998 09:30:03 -0800
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, 'Scott Lawrence' <lawrence@agranat.com>
Message-Id: <5CEA8663F24DD111A96100805FFE65872038E0@red-msg-51.dns.microsoft.com>

I agree with Scott that digest without message integrity is not very secure
-- just the assurance that some part of the message was once issued by the
client.

> ----------
> From: 	Scott Lawrence[SMTP:lawrence@agranat.com]
> Sent: 	Wednesday, January 07, 1998 7:18 AM
> To: 	http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> Subject: 	Re: Digest mess
> 
> 
> >>>>> "DK" == Dave Kristol <dmk@bell-labs.com> writes:
> 
> DK> Repeat after me "Digest is meant to replace Basic."
> 
>   I would just extend that to
> 
>     "Digest is meant to replace Basic with something useful."
> 
> DK> Basic provides no message integrity.  There may indeed be a need
> DK> for a lightweight way to detect POST/PUT message integrity.  But
> DK> let's not necessarily force the latter on the former.
> 
>   Even GET without at least some response integrity is of questionable
>   value, and without a digest you don't even get that (and you can if
>   you include a client nonce).  I don't accept the argument that we
>   are doing something good by replacing one inadequate mechanism with
>   another inadequate one.
> 
> DK> Are you saying that the original Digest wouldn't play through proxies?
> DK> If so, how would the more recent version do any better?  (Unless
> you're
> DK> referring to the way proxies may mung headers.  Original Digest wasn't
> DK> dependent on other headers.)
> 
>   It was dependant on the headers for the entity integrity, and that's
>   essential (in my admittedly not-so-humble opinion :).
> 
> DK> I would hate to see the best be the enemy of the good here.
> 
>   As I see it, I'm far from arguing for the 'best' here... just
>   'adequate'.
> 
> DK> I have had server support for Digest for nearly three years (and
> DK> SimpleMD5 before that), and I've longed for widespread support of
> DK> Digest in clients.
> 
>   ...and one argument that client vendors have made for why they have
>   not deployed it is that it is too weak - why would they be any
>   more motivated to provide Digest without integrity protection?
> 
>   They have argued that Basic with SSL is better, and as things appear
>   to be going I would have a tough time making a technical case
>   otherwise.
> 
> --
> Scott Lawrence           EmWeb Embedded Server
> <lawrence@agranat.com>
> Agranat Systems, Inc.        Engineering
> http://www.agranat.com/
>

Received on Wednesday, 7 January 1998 09:38:13 UTC