W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2006

Fwd: draft-sayre-http-hmac-digest-00

From: Robert Sayre <sayrer@gmail.com>
Date: Sat, 4 Mar 2006 14:54:48 -0500
Message-ID: <68fba5c50603041154l58e81504t61d3a608e2d97fda@mail.gmail.com>
To: ietf-http-wg@w3.org

---------- Forwarded message ----------
From: Robert Sayre <sayrer@gmail.com>
Date: Mar 3, 2006 1:33 AM
Subject: draft-sayre-http-hmac-digest-00
To: ietf-http-auth@osafoundation.org


I recently encountered a situation where I wanted to use Digest
authentication, but only had already-hashed passwords to work with.
So, I thought I would try fixing Digest authentication. I've read that
many people want to do this, but I haven't seen any action in this

The scheme presented in the draft below allows the client to include
request header values in the digest, for message integrity. There is
no provision for entity integrity checking. However, the client could
include a Content-MD5 header, and the server would only have to verify
that value after the client had passed the challenge. The scheme also
omits server nonces, and forces clients to send creation timestamps

The draft includes working client and server Python scripts.


It has all the problems you would expect with shared-secret
authentication. But, on the plus side, it works with drop-in PHP
scripts like Wordpress, and I hope it's better than basic.


Robert Sayre
Received on Saturday, 4 March 2006 19:55:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:27 UTC