- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Mon, 11 Jun 2007 05:23:44 +0200
- To: Lisa Dusseault <lisa@osafoundation.org>
- Cc: Eliot Lear <lear@cisco.com>, Apps Discuss <discuss@apps.ietf.org>, Mark Nottingham <mnot@mnot.net>, Chris Newman <Chris.Newman@Sun.COM>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-Id: <1181532224.3389.47.camel@henriknordstrom.net>
sön 2007-06-10 klockan 14:10 -0700 skrev Lisa Dusseault: > Digest has a bad reputation particularly among Web App developers for > a number of reasons, some inherent to the design and specification, > some stemming from implementation and deployment choices. Nearly all is implementation. > http://www.xml.com/pub/a/2003/12/17/dive.html: "most web hosting > providers don't turn on digest authentication (it requires an Apache > module that is not on by default). Even if Bob's ISP had Implementation. > http://blogs.msdn.com/drnick/archive/2006/05/12/understanding-http-authentication.aspx: "Digest authentication requires the use of Windows domain accounts. Plain untrue, unless you restrict your view of Digest to the Microsoft IIS implementation in which case it's implementation. > http://www.imc.org/atom-syntax/mail-archive/msg06103.html: " (1) Some > web-servers remove the WWW-Authenticate header before passing it to a > CGI program." Implementation. Well, CGI is not the proper interface to implement authentication schemes, but it's implementation in the sense that web servers is a bit poor in allowing applications to set the authentication requirements in a sensible manner. But it is fully doable with only a little effort. > http://www.imc.org/atom-protocol/mail-archive/msg00836.html: "do all > digest and WSSE implementations require server-side access to > clear-text passwords or is that just a weakness of the implementations > I looked at?" No, the realm specific H(A1) is required. > http://www.imc.org/atom-syntax/mail-archive/msg00139.html: "I'm a > small site, security is very much a concern and my host does not > provide Digest and won't do so." Implementation. > Thus it's hard for an administrator to use today's Web server software > and Digest authentication, and still have an application-specific > database of usernames/passwords. The server software gets in the way > -- it may even be easier for the Web App developer to implement > something non-standard like WSSE than have to rely on built-in > functions. Thats all implementation. Web servers don't make it easy for applications to use/control HTTP authentication. So applications don't use it. CGI is not the proper interface for HTTP authentication. It's the web servers responsibility to handle the fine details of HTTP (including authentication) and the CGIs responsibility to provide content & applications. > i18n is also a problem: > http://www.agileprogrammer.com/eightytwenty/archive/2006/05/04/14280.aspx Yes, this is a specifications problem inherent to both Basic and Digest, > And for humour on the situation: > http://bitworking.org/news/Problems_with_HTTP_Authentication_Interop Yes, there is lots of broken Digest implementations around either not reading the specs, not caring to implement anything but the absolute minimum required for a conditionally compliant implementation, not testing their implementation, or sticking to old specs considered obsolete and broken. And pressure from users that things must work even with the broken implementations as the users consider the broken browser implementations unfixable. Don't know how many times I have asked users to file a bug report with vendor X and always receive the same answer "no, it's of no use. we must work around the bug somehow". Regards Henrik
Received on Monday, 11 June 2007 03:23:59 UTC