Re: New issue: Need for an HTTP request method registry

Henrik Nordstrom wrote:
> On fre, 2007-08-10 at 10:02 +1200, Adrien de Croy wrote:
>   
>> To use digest on a windows platform you can't 
>> auth against the windows or AD user database unless you re-write that 
>> database (since there's no conversion between one way hashes).  I can't 
>> see MS doing that when they can and have just kludged NTLM into HTTP.  
>> Is the fact that they had to kludge it in without support an indication 
>> of a failing in HTTP?
>>     
>
> MS AD supports Digest if you want. But it's not enabled by default due
> to security concerns. Apparently this is because they then store the
> plaintext password in the internal database and not the less sensitive
> Digest H(A1) values (probably to avoid being dependent on the realms
> used). Every existing user wanting to use Digest only needs to change
> their password after this change to have the AD object updated with the
> required password details.
>
> Same for Novell eDirectory with it's "universal password" support.
>
> Regards
> Henrik
>   
I'm not sure If you meant that as a good or bad thing :-) A large
set of users never "just" decide to change their passwords as
anyone who has operated a large user store with several keys
per user (eg a kdc).

MS AD and other KDCs store plaintext passwords to make
key type migration possible.
   
    Cheers Leif

Received on Friday, 10 August 2007 15:11:31 UTC