W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

RE: Some comments on Digest Auth

From: John Franks <john@math.nwu.edu>
Date: Wed, 21 Jan 1998 17:07:46 -0600 (CST)
To: Paul Leach <paulle@microsoft.com>
Cc: "'David W. Morris'" <dwm@xpasc.com>, "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980121170127.13837B-100000@hopf.math.nwu.edu>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5259
On Wed, 21 Jan 1998, Paul Leach wrote:

> The following criteria are fine by me:
> 1. Recovery of the password on one system doesn't allow its use on another
> 2. Replay attacks are limited to a reasonably small time window, and
> implementations can practically make it quite small.
> 3. Brute force attack is infeasible on well chosen passwords.

We are all in agreement here.  I think that the last official
version of the spec with all references to entity-digest and
Authentication-info removed pretty well meets these needs if
a timestamp is used in the nonce.

I don't see that further requirements in the spec will buy us
much more.  

John Franks
Received on Wednesday, 21 January 1998 15:12:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC