- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Fri, 11 Aug 2006 01:04:36 +0000
- To: <ingo@ingostruck.de>, "William A. Rowe, Jr." <wrowe@rowe-clan.net>
- CC: <ietf-http-wg@w3.org>
The statements about strength in 2617 refer to the strength of any password based mechanism compared to public key mechanisms. The strength of Digest should be only limited by the strength of the password -- if we continue to use weak hash schemes, that won't be true. (Not to mention that in some cases, strong random passwords can be used, and these will be as strong as the hash. We shouldn't rule these cases out needlessly.) -----Original Message----- From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Ingo Struck Sent: Thursday, August 10, 2006 10:03 AM To: William A. Rowe, Jr. Cc: ietf-http-wg@w3.org Subject: Re: RFC 2617 errata / MD5-sess William, On Thursday 10 August 2006 16:12, William A. Rowe, Jr. wrote: > My own concern, if the MD5-sess dialog is reopened, is to account for > the complete dismissal of MD5 for any authn/authz security > applications and to reopen the spec to extending the noonce to SHA1 / SHA2 semantics. > > MD5 is already past it's prime, and SHA1 is heading that way as well. > It would be good to anticipate future hash support by adding anything > of SHA2 up to SHA-512 and providing for an extensible description of > the negotiated hash employed for this purpose. First, rfc2617 explicitly states that it is not and does not want to be a cryptographically strong authentication mechanism (it only wants to substitute the completely unacceptable plain-text-password basic-auth)
Received on Friday, 11 August 2006 07:36:22 UTC