Resolving Digest authentication issue from Jim Whitehead on 2001-11-02 (w3c-dist-auth@w3.org from October to December 2001)

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Thu, 1 Nov 2001 17:52:37 -0800
To: <w3c-dist-auth@w3.org>
Message-ID: <AMEPKEBLDJJCCDEJHAMIAEJPDKAA.ejw@cse.ucsc.edu>

Jason Crawford pointed out to me that we never resolved the Digest
authentication issue, so let me take a stab at it. If you quibble with the
wording below, don't just say you don't like it -- suggest some alternate
wording.

Dylan Barrel [1] and Alan Kent [2] describe the issues with supporting
Digest authentication on the server, and their contention that support for
Digest is unacceptable:

[1] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0062.html
[2] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0087.html

I clarified the meaning of "supports Digest authentication" in [3]:

[3] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0073.html

I think Matt Timmerman's post [4] has the start of a solution:

[4] http://lists.w3.org/Archives/Public/w3c-dist-auth/2001OctDec/0080.html

Thus, I propose the following authentication requirements:

* Basic MUST NOT be used unless the connection is secure. Secure is defined
to be TLS over the Internet, a physically secure network, or a network
behind a well-administered firewall.

Client requirements: MUST support Basic, SSL/TLS support is STRONGLY
RECOMMENDED
Server requirements: SHOULD support Basic, SSL/TLS support is STRONGLY
RECOMMENDED

* Digest SHOULD be used when the connection is insecure, such as a non-TLS
connection over the Internet.

Client requirements: MUST support Digest
Server requirements: SHOULD support Digest, but it is acceptable for Digest
authentication to be disabled by default. It SHOULD be possible for an
administrator to configure a server to use Digest.

* Additional authentication schemes beyond Basic and Digest MAY be
supported, whether or not described in an IETF specification. Implementors
should be aware that use of other authentication schemes guarantees some
level of non-interoperation of that authentication scheme, since all WebDAV
clients and servers cannot be expected to support that authentication
scheme.

So, for example, it's OK for people to support NTLM.

* Finally, to guarantee some level of authentication will be possible: a
server MUST at minimum support either Basic OR Digest. A server SHOULD
support Basic AND Digest.

Note that the terms MUST and SHOULD are being used as defined in RFC 2119:

1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that the
   definition is an absolute requirement of the specification.

3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
   may exist valid reasons in particular circumstances to ignore a
   particular item, but the full implications must be understood and
   carefully weighed before choosing a different course.

For example, I would say that Dylan and Matt have carefully weighed the
implications of Digest support, and so if they decided not to support Digest
under the language above, this would meet the letter and the spirit of the
proposed language.

Comments?

- Jim

Received on Thursday, 1 November 2001 20:56:39 UTC