RE: Digest Authentication from Stefan Eissing on 2001-10-16 (w3c-dist-auth@w3.org from October to December 2001)

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Tue, 16 Oct 2001 18:19:20 +0200
To: "WebDAV" <w3c-dist-auth@w3.org>
Message-ID: <NDBBKJABLJNMLJELONBKCEEHDBAA.stefan.eissing@greenbytes.de>

As an afterthought: If Dylan wants to be safe that somebody
stealing the encrypted passwords cannot log in to the server,
then Digest Authentication is indeed not a good idea. (See
RFC 2617, Chapter 4.13).

If you need to be safe in the case of stolen "password files",
you need to upgrade to TLS and basic auth or use client certs.

//Stefan

> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Stefan Eissing
> Sent: Tuesday, October 16, 2001 5:57 PM
> To: Clemm, Geoff; WebDAV
> Subject: RE: Digest Authentication
> 
> 
> Actually, you do not need to store cleartext in both cases.
> 
> As Geoff explained, digest requires the server to store
> a secure hash of the username/password. You can use the
> same hash to verify Basic authentication, since the client
> send the password in (almost) clear text.
> 
> Best Regards, Stefan
> 
> > -----Original Message-----
> > From: w3c-dist-auth-request@w3.org
> > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff
> > Sent: Tuesday, October 16, 2001 5:47 PM
> > To: WebDAV
> > Subject: RE: Digest Authentication
> >
> >
> > Are you sure you are not confusing digest authentication with basic
> > authentication?  With digest authentication, a server only needs to
> > expose its passwords in a cryptographically secure hash-coded form.
> >
> > Cheers,
> > Geoff
> >
> > -----Original Message-----
> > From: Dylan Barrell [mailto:dbarrell@opentext.com]
> > Sent: Tuesday, October 16, 2001 11:13 AM
> > To: WebDAV
> > Subject: Digest Authentication
> >
> >
> > I would like to propose a small change to the webDAV specification.
> >
> > Digest Authentication requires that a server store its 
> passwords in such a
> > way that they be available in clear text format.
> >
> > Our experience with our customers has shown that this is TOTALLY
> > UNACCEPTABLE.
> >
> > As a result, we will not be able to implement digest 
> authentication in our
> > webDAV server.
> >
> > I would like to propose that the Digest Authentication requirement be
> > demoted from mandatory to optional.
> >
> > --Dylan
> >
> >
> >
> 
>

Received on Tuesday, 16 October 2001 12:18:05 UTC