W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

RE: Digest Authentication

From: Matt Timmermans <mtimmerm@opentext.com>
Date: Tue, 23 Oct 2001 19:05:19 -0400
To: "'Jim Whitehead'" <ejw@cse.ucsc.edu>, "'Dylan Barrell'" <dbarrell@opentext.com>, "'WebDAV'" <w3c-dist-auth@w3.org>
Message-ID: <001e01c15c17$30868510$d482a8c0@mt2k>
I'm happy with Basic over SSL.  If you want security over the Web, you might
as well use SSL.

Most of our intranet customers would probably prefer NTLM.

For parts of the intranet that don't require security, Basic suffices.

I'm not sure that really secure authentication without SSL is even a
requirement, but if you want it, then there are several alternative public
key technologies that do just fine.  While any organization might choose one
of these, they are not without IP issues, as you've noted.

Without public key techniques, there is a limit on how secure authentication
can be.  Digest doesn't meet that limit, because it's possible to require
eavesdropping on an authentication session _and_ access to the server's
stored password information, before it's possible to impersonate a user.  I
don't know of any standard scheme like this, though, and I don't know if
there's a need for one.

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Jim Whitehead
> Sent: Tuesday, October 23, 2001 6:20 PM
> To: Dylan Barrell; mtimmerm@opentext.com; 'WebDAV'
> Subject: RE: Digest Authentication
> Dylan, Matt, others: Out of curiosity, what authentication
> options do you
> consider to be good enough to meet your requirements?
> - Jim
Received on Tuesday, 23 October 2001 19:06:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:24 UTC