- From: Robert Sayre <sayrer@gmail.com>
- Date: Sat, 4 Mar 2006 14:54:48 -0500
- To: ietf-http-wg@w3.org
---------- Forwarded message ---------- From: Robert Sayre <sayrer@gmail.com> Date: Mar 3, 2006 1:33 AM Subject: draft-sayre-http-hmac-digest-00 To: ietf-http-auth@osafoundation.org All, I recently encountered a situation where I wanted to use Digest authentication, but only had already-hashed passwords to work with. So, I thought I would try fixing Digest authentication. I've read that many people want to do this, but I haven't seen any action in this area. The scheme presented in the draft below allows the client to include request header values in the digest, for message integrity. There is no provision for entity integrity checking. However, the client could include a Content-MD5 header, and the server would only have to verify that value after the client had passed the challenge. The scheme also omits server nonces, and forces clients to send creation timestamps instead. The draft includes working client and server Python scripts. http://franklinmint.fm/2006/03/03/draft-sayre-http-hmac-digest-00.html http://franklinmint.fm/2006/03/03/draft-sayre-http-hmac-digest-00.txt It has all the problems you would expect with shared-secret authentication. But, on the plus side, it works with drop-in PHP scripts like Wordpress, and I hope it's better than basic. -- Robert Sayre
Received on Saturday, 4 March 2006 19:55:24 UTC