- From: Jim Whitehead <ejw@cse.ucsc.edu>
- Date: Tue, 16 Oct 2001 13:31:06 -0700
- To: "WebDAV" <w3c-dist-auth@w3.org>
Accidentally caught by the spam filter. I have added joe@manyfish.co.uk to the accept2 list, so future email from this address will go straight through. - Jim -----Original Message----- From: Joe Orton [mailto:joe@manyfish.co.uk] Sent: Tuesday, October 16, 2001 12:10 PM To: WebDAV Subject: [Moderator Action] Re: Digest Authentication On Tue, Oct 16, 2001 at 02:36:56PM -0400, Dylan Barrell wrote: > We did think of this solution, but that means that we always have to use the > same nonce value and we end up getting no security improvement over basic > authentication - so the argument that it is more secure than basic is bogus > if you do this. Mmm; I think you are misunderstanding something? RFC2617 section 3.3: Note that the HTTP server does not actually need to know the user's cleartext password. As long as H(A1) is available to the server, the validity of an Authorization header may be verified. Where H(A1) is just the MD5 of (user + ":" + realm + ":" + password)... joe
Received on Tuesday, 16 October 2001 16:34:54 UTC