W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

Re: Digest Authentication

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Tue, 16 Oct 2001 13:31:06 -0700
To: "WebDAV" <w3c-dist-auth@w3.org>
Accidentally caught by the spam filter.  I have added joe@manyfish.co.uk to
the accept2 list, so future email from this address will go straight

- Jim

-----Original Message-----
From: Joe Orton [mailto:joe@manyfish.co.uk]
Sent: Tuesday, October 16, 2001 12:10 PM
To: WebDAV
Subject: [Moderator Action] Re: Digest Authentication

On Tue, Oct 16, 2001 at 02:36:56PM -0400, Dylan Barrell wrote:
> We did think of this solution, but that means that we always have to use
> same nonce value and we end up getting no security improvement over basic
> authentication - so the argument that it is more secure than basic is
> if you do this.

Mmm; I think you are misunderstanding something? RFC2617 section 3.3:

   Note that the HTTP server does not actually need to know the user's
   cleartext password. As long as H(A1) is available to the server, the
   validity of an Authorization header may be verified.

Where H(A1) is just the MD5 of (user + ":" + realm + ":" + password)...

Received on Tuesday, 16 October 2001 16:34:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:24 UTC