RE: Digest Authentication from Matt Timmermans on 2001-10-22 (w3c-dist-auth@w3.org from October to December 2001)

From: Matt Timmermans <mtimmerm@opentext.com>
Date: Mon, 22 Oct 2001 18:28:40 -0400
To: "'Phillip Hallam-Baker'" <hallam@ai.mit.edu>, "'Dylan Barrell'" <dbarrell@opentext.com>, "'WebDAV'" <w3c-dist-auth@w3.org>, "'Lisa Dusseault'" <lisa@xythos.com>
Message-ID: <001501c15b48$e7c5fe10$d482a8c0@mt2k>

Hi All,

I'm working on Open Text's WebDAV server, so these issues are somewhat
important to me.

At issue is not whether or not it's OK to allow Basic, but whether or not
it's necessary, or even acceptable, to require Digest.  This is not a binary
decision.  These are separate questions.

The offending sentence is in paragraph 3 of 17.1, where it says "WebDAV
applications MUST support the Digest authentication scheme".

For a server application, a reasonable interpretation of this directive
means that a client can authenticate with any WebDAV server using Digest
authentication.  This implies (in the strong sense) that a server _cannot_
require stronger authentication.  It similarly implies that a client
_cannot_ require stronger authentication.  It also implies that WebDAV
servers cannot exist in authenticated environments that are _too_secure_ to
support Digest.

I'm willing to accept that IETF and W3C policies would forbid sending
passwords in the clear, and I'll admit to not having done an exhaustive
search, but I cannot believe that it is the policy of either IETF or W3C to
forbid organizational requirements for strong authentication mechanisms.

Paragraph 2 in 17.1 already sets the appropriate lower bound on
authentication security, by giving the admonition against Basic over
insecure channels.  Paragraph 3 sets only _upper_ bounds on authentication
security, which is completely inappropriate.

I suspect that the intent of paragraph 3 was to guarantee some level of
interoperability when Basic was disallowed, because Basic is usually used as
the final fallback.  Appropriate wording would be "If a WebDAV client
application supports the Basic authentication scheme, then it must also
support Digest, and must choose to use Digest over Basic in all
circumstances where the server permits both".  This leaves both clients and
servers free to require strong authentication.  It also lets the server
require at least Digest as its lowest common denominator, without
sacrificing interoperability with any clients.


> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Phillip Hallam-Baker
> Sent: Friday, October 19, 2001 9:47 PM
> To: 'Dylan Barrell'; 'WebDAV'; 'Lisa Dusseault'
> Subject: RE: Digest Authentication
>
>
> IETF security policy is the reason why Digest is mandatory.
>
> W3C policy is not going to accept sending passwords in the clear
> either.
>
> 		Phill

Received on Monday, 22 October 2001 18:29:47 UTC