RE: Digest Authentication

Actually, you do not need to store cleartext in both cases.

As Geoff explained, digest requires the server to store
a secure hash of the username/password. You can use the
same hash to verify Basic authentication, since the client
send the password in (almost) clear text.

Best Regards, Stefan

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff
> Sent: Tuesday, October 16, 2001 5:47 PM
> To: WebDAV
> Subject: RE: Digest Authentication
>
>
> Are you sure you are not confusing digest authentication with basic
> authentication?  With digest authentication, a server only needs to
> expose its passwords in a cryptographically secure hash-coded form.
>
> Cheers,
> Geoff
>
> -----Original Message-----
> From: Dylan Barrell [mailto:dbarrell@opentext.com]
> Sent: Tuesday, October 16, 2001 11:13 AM
> To: WebDAV
> Subject: Digest Authentication
>
>
> I would like to propose a small change to the webDAV specification.
>
> Digest Authentication requires that a server store its passwords in such a
> way that they be available in clear text format.
>
> Our experience with our customers has shown that this is TOTALLY
> UNACCEPTABLE.
>
> As a result, we will not be able to implement digest authentication in our
> webDAV server.
>
> I would like to propose that the Digest Authentication requirement be
> demoted from mandatory to optional.
>
> --Dylan
>
>
>

Received on Tuesday, 16 October 2001 11:56:23 UTC