- From: Jim Whitehead <ejw@ics.uci.edu>
- Date: Wed, 3 Nov 1999 21:55:54 -0800
- To: Larry Masinter <masinter@parc.xerox.com>, "'WebDAV'" <w3c-dist-auth@w3.org>
Larry Masinter writes: > The question is whether what's in the spec is actually strong > enough to insure interoperability. In integrating network systems > with WebDAV, seems that there is no guaranteed authentication > mechanism that you can be insured of supplying credentials to > that will work with most servers, even for servers that are > technically compliant with the spec. > > Right now, it says > "WebDAV applications MUST support the Digest authentication scheme > [RFC2069]." > > But servers might "implement" digest, not allow digest authentication > for access rights to any of the server's collections. It seems to me that since HTTP authentication is challenge-response, a client that implements Basic and Digest Auth should be able to interoperate against all HTTP/DAV servers. In HTTP/DAV, a client issues its request, receives back a challenge which specifies the kinds of authentication that can be used to satisfy the challenge, and in response the client reissues the request with the authentication credentials. If a server doesn't implement Digest, but does implement Basic, and sends a challenge asking for Basic, if the client implements Basic, it will be able to respond to the challenge. So, there is interoperability here, just not interoperability at the Digest Auth level. If the client must have Digest level auth., and only receives a Basic challenge, then it could abort the request and pop up a dialog explaining the problem (good luck making this meaningful to users, though :-). > Secondly, "Digest authentication" is itself may not be specific > enough; do you want to specify a minimum algorithm & qop value? Well, since the only algorithm specified in RFC 2617 is MD5, and I know of no other fielded Digest algorithms, specifying the Digest algorithm seems a bit of an overkill. But, it's undoubtedly prudent, and could certainly lead to less ambiguity in the future. As for qop value, this doesn't seem like something we should specify, since it appears to describe a per-message characteristic, and the DAV spec. cannot guarantee what the per-message security characteristics may be. > We've been having some difficulties finding interoperable > authentication mechanisms for non-browser-based WebDAV use. Hearing this I have two questions: a) what do you mean by "interoperable" in this case -- I'm genuinely unclear. b) could you give an example of the problems you're encountering? > Right now, > it doesn't seem like it does, and the spec might need to change. Certainly this is an area which hasn't been extensively interoperability tested, so it's possible there could be problems. On the other hand, I've heard no concrete problems yet. - Jim
Received on Thursday, 4 November 1999 00:56:40 UTC