Re: New issue: Need for an HTTP request method registry from Henrik Nordstrom on 2007-08-10 (ietf-http-wg@w3.org from July to September 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Fri, 10 Aug 2007 16:10:49 +0200
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1186755049.21771.61.camel@henriknordstrom.net>

On fre, 2007-08-10 at 10:02 +1200, Adrien de Croy wrote:
> To use digest on a windows platform you can't 
> auth against the windows or AD user database unless you re-write that 
> database (since there's no conversion between one way hashes).  I can't 
> see MS doing that when they can and have just kludged NTLM into HTTP.  
> Is the fact that they had to kludge it in without support an indication 
> of a failing in HTTP?

MS AD supports Digest if you want. But it's not enabled by default due
to security concerns. Apparently this is because they then store the
plaintext password in the internal database and not the less sensitive
Digest H(A1) values (probably to avoid being dependent on the realms
used). Every existing user wanting to use Digest only needs to change
their password after this change to have the AD object updated with the
required password details.

Same for Novell eDirectory with it's "universal password" support.

Regards
Henrik

Received on Friday, 10 August 2007 14:11:07 UTC