- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Mon, 11 Jun 2007 06:17:52 +0200
- To: Keith Moore <moore@cs.utk.edu>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-Id: <1181535472.3389.84.camel@henriknordstrom.net>
sön 2007-06-10 klockan 23:33 -0400 skrev Keith Moore: > ah, but what's the reason for all of those implementation-imposed > constraints? [in Digest] Lack of a test suite allowing implementers to verify their implementation? Lack of general interest in having a reasonably secure authentication mechanism? Web authors considering look & feel much more important than security, and not willing to ask for the ability to have both as forms + cookies accomplishes their goal of getting the look & feel they want? Digest being different than the other authentication mechanisms, and therefore a bit of a pain to integrate into existing systems, requiring a different password store or alternatively access to plaintext? (a problem shared with all secure authentication methods) If not that I am not sure.. the most common implementation bugs are - Use of the wrong request method on non-GET requests - Omitting the query parameters from the Request-URI - Random client nonce-count sequences, including repeated use of the same nonce-count. - md5-sess often broken, for example using wrong nonces. - Incorrect escaping (partly a specification issue). And the most common shortcomings are - Not implementing qop at all (i.e. obsolete RFC2069 level of implementation) - Not implementing nonce-count at all, requesting a new challenge from the server on each request. - Not implementing -int qop. And of HTTP authentication in general: - Web authors not given any influence on the user interface for the login step. - Lack of any server controlled session control. Logout or idle timeouts. Regards Henrik
Received on Monday, 11 June 2007 04:18:02 UTC