- From: Lisa Dusseault <lisa@osafoundation.org>
- Date: Sun, 10 Jun 2007 14:10:12 -0700
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- Cc: Eliot Lear <lear@cisco.com>, Apps Discuss <discuss@apps.ietf.org>, Mark Nottingham <mnot@mnot.net>, Chris Newman <Chris.Newman@Sun.COM>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-Id: <8DD2BD5A-9068-43C3-973E-382FAD2E0EA8@osafoundation.org>
On Jun 8, 2007, at 3:34 PM, Henrik Nordstrom wrote: > In what way do not Digest fit that? (putting aside the security > concerns > regarding Digest use of MD5 and how) > > What is missing for Digest is some standard means for esablishing the > password without exchaning the password, but it's possible to do such > exchange, at least to a reasonable level. Digest has a bad reputation particularly among Web App developers for a number of reasons, some inherent to the design and specification, some stemming from implementation and deployment choices. http://www.xml.com/pub/a/2003/12/17/dive.html: "most web hosting providers don't turn on digest authentication (it requires an Apache module that is not on by default). Even if Bob's ISP had mod_digest_auth enabled, it wouldn't help Bob, because he has no .htaccess rights to configure his passwords; and, because of the way Apache works, CGIs can't implement digest authentication on their own. (Scripts handled by an Apache module, such as mod_php or mod_perl, can implement HTTP digest authentication. But external CGI processes can't because Apache does not pass the necessary headers along to the CGI script. But that still doesn't help Bob because his hosting provider doesn't offer PHP; and, even if they did, his weblog software doesn't run on PHP anyway.)" http://blogs.msdn.com/drnick/archive/2006/05/12/understanding-http- authentication.aspx: "Digest authentication requires the use of Windows domain accounts. The digest realm indicates the Windows domain name. Due to this, a server running on an operating system that does not support Windows domains, such as Windows XP Home, cannot be used with Digest authentication. When the client is running on an operating system that does not support Windows domains, a domain account must be explicitly specified during the authentication." http://www.imc.org/atom-syntax/mail-archive/msg06103.html: " (1) Some web-servers remove the WWW-Authenticate header before passing it to a CGI program." http://www.imc.org/atom-protocol/mail-archive/msg00836.html: "do all digest and WSSE implementations require server-side access to clear-text passwords or is that just a weakness of the implementations I looked at?" http://www.imc.org/atom-syntax/mail-archive/msg00139.html: "I'm a small site, security is very much a concern and my host does not provide Digest and won't do so." Thus it's hard for an administrator to use today's Web server software and Digest authentication, and still have an application- specific database of usernames/passwords. The server software gets in the way -- it may even be easier for the Web App developer to implement something non-standard like WSSE than have to rely on built- in functions. i18n is also a problem: http://www.agileprogrammer.com/eightytwenty/ archive/2006/05/04/14280.aspx And for humour on the situation: http://bitworking.org/news/ Problems_with_HTTP_Authentication_Interop Lisa
Received on Sunday, 10 June 2007 21:10:25 UTC