- From: Dirk-Willem van Gulik <dirkx@webweaving.org>
- Date: Wed, 17 Oct 2001 04:45:38 +0200 (CEST)
- To: Dylan Barrell <dbarrell@opentext.com>
- cc: WebDAV <w3c-dist-auth@w3.org>
On Tue, 16 Oct 2001, Dylan Barrell wrote: Please check RFC2617. This issue was noted during the design of the digest method and effectively addressed. Or in other words: As long as the hash over the username/real/password is known to the server - any nonce can be used. See http://httpd.apache.org/docs/mod/mod_auth_digest.html and it's source for what and how. Dw > We did think of this solution, but that means that we always have to use the > same nonce value and we end up getting no security improvement over basic > authentication - so the argument that it is more secure than basic is bogus > if you do this. > > --Dylan > > > -----Original Message----- > > From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org] > > Sent: Tuesday, October 16, 2001 2:02 PM > > To: Dylan Barrell > > Cc: WebDAV > > Subject: Re: Digest Authentication > > > > > > > > > > On Tue, 16 Oct 2001, Dylan Barrell wrote: > > > > > Digest Authentication requires that a server store its > > passwords in such a > > > way that they be available in clear text format. > > > > Actually though your implementation -could- store the password on disk as > > plain text - most do not; and it is technically not required. Some bad > > implementations do store it plain - but (for example) the apache web > > server stores the password as a hash (md5 or crypt) on the server side. > > > > See http://cvs.apache.org -> apache-1.3 -> src/support/htpasswd.c and > > src/support/htdigest.c to get an idea of the code). > > > > So it is not a requirement - just an implementation choise. > > > > It is true that with normal basic auth the password goes over the wire in > > the clear; but with digest auth this is not the case. > > > > Dw >
Received on Tuesday, 16 October 2001 22:45:48 UTC