RE: Authentication in existing WebDAV servers

Larry Masinter writes:
> The question is whether what's in the spec is actually strong
> enough to insure interoperability. In integrating network systems
> with WebDAV,  seems that there is no guaranteed authentication
> mechanism that you can be insured of supplying credentials to
> that will work with most servers, even for servers that are
> technically compliant with the spec.
>
> Right now, it says
> "WebDAV applications MUST support the Digest authentication scheme
>    [RFC2069]."
>
> But servers might "implement" digest, not allow digest authentication
> for access rights to any of the server's collections.

It seems to me that since HTTP authentication is challenge-response, a
client that implements Basic and Digest Auth should be able to interoperate
against all HTTP/DAV servers.  In HTTP/DAV, a client issues its request,
receives back a challenge which specifies the kinds of authentication that
can be used to satisfy the challenge, and in response the client reissues
the request with the authentication credentials.  If a server doesn't
implement Digest, but does implement Basic, and sends a challenge asking for
Basic, if the client implements Basic, it will be able to respond to the
challenge.  So, there is interoperability here, just not interoperability at
the Digest Auth level. If the client must have Digest level auth., and only
receives a Basic challenge, then it could abort the request and pop up a
dialog explaining the problem (good luck making this meaningful to users,
though :-).

> Secondly, "Digest authentication" is itself may not be specific
> enough; do you want to specify a minimum algorithm & qop value?

Well, since the only algorithm specified in RFC 2617 is MD5, and I know of
no other fielded Digest algorithms, specifying the Digest algorithm seems a
bit of an overkill.  But, it's undoubtedly prudent, and could certainly lead
to less ambiguity in the future.  As for qop value, this doesn't seem like
something we should specify, since it appears to describe a per-message
characteristic, and the DAV spec. cannot guarantee what the per-message
security characteristics may be.

> We've been having some difficulties finding interoperable
> authentication mechanisms for non-browser-based WebDAV use.

Hearing this I have two questions:
a) what do you mean by "interoperable" in this case -- I'm genuinely
unclear.
b) could you give an example of the problems you're encountering?

> Right now,
> it doesn't seem like it does, and the spec might need to change.

Certainly this is an area which hasn't been extensively interoperability
tested, so it's possible there could be problems.  On the other hand, I've
heard no concrete problems yet.

- Jim

Received on Thursday, 4 November 1999 00:56:40 UTC