- From: Leif Johansson <leifj@it.su.se>
- Date: Fri, 10 Aug 2007 17:11:33 +0200
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- CC: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Henrik Nordstrom wrote:
> On fre, 2007-08-10 at 10:02 +1200, Adrien de Croy wrote:
>
>> To use digest on a windows platform you can't
>> auth against the windows or AD user database unless you re-write that
>> database (since there's no conversion between one way hashes). I can't
>> see MS doing that when they can and have just kludged NTLM into HTTP.
>> Is the fact that they had to kludge it in without support an indication
>> of a failing in HTTP?
>>
>
> MS AD supports Digest if you want. But it's not enabled by default due
> to security concerns. Apparently this is because they then store the
> plaintext password in the internal database and not the less sensitive
> Digest H(A1) values (probably to avoid being dependent on the realms
> used). Every existing user wanting to use Digest only needs to change
> their password after this change to have the AD object updated with the
> required password details.
>
> Same for Novell eDirectory with it's "universal password" support.
>
> Regards
> Henrik
>
I'm not sure If you meant that as a good or bad thing :-) A large
set of users never "just" decide to change their passwords as
anyone who has operated a large user store with several keys
per user (eg a kdc).
MS AD and other KDCs store plaintext passwords to make
key type migration possible.
Cheers Leif
Received on Friday, 10 August 2007 15:11:31 UTC