Re: Digest Authentication

Accidentally caught by the spam filter.  I have added joe@manyfish.co.uk to
the accept2 list, so future email from this address will go straight
through.

- Jim

-----Original Message-----
From: Joe Orton [mailto:joe@manyfish.co.uk]
Sent: Tuesday, October 16, 2001 12:10 PM
To: WebDAV
Subject: [Moderator Action] Re: Digest Authentication


On Tue, Oct 16, 2001 at 02:36:56PM -0400, Dylan Barrell wrote:
> We did think of this solution, but that means that we always have to use
the
> same nonce value and we end up getting no security improvement over basic
> authentication - so the argument that it is more secure than basic is
bogus
> if you do this.

Mmm; I think you are misunderstanding something? RFC2617 section 3.3:

   Note that the HTTP server does not actually need to know the user's
   cleartext password. As long as H(A1) is available to the server, the
   validity of an Authorization header may be verified.

Where H(A1) is just the MD5 of (user + ":" + realm + ":" + password)...

joe

Received on Tuesday, 16 October 2001 16:34:54 UTC