- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Wed, 18 Sep 2002 10:32:38 +0200
- To: "Lisa Dusseault" <lisa@xythos.com>
- Cc: "'Ilya Kirnos'" <ilya.kirnos@oracle.com>, "'Julian Reschke'" <julian.reschke@gmx.de>, "'Webdav WG'" <w3c-dist-auth@w3c.org>
Am Mittwoch den, 18. September 2002, um 04:10, schrieb Lisa Dusseault: > [...] > Can anybody come up with other clever ways for the client to try to > authenticate? E.g. is it possible for a client to send a reasonable > Digest authentication header with its first request (probably a > PROPFIND, but whatever method happens to be first), and if the > information therein (e.g. realm) is bad, the server responds with the > WWW-Authenticate header with the correct prompting? That doesn't quite > solve Ilya's performance problem, but perhaps the HTTP 1.1. Continue > mechanism would solve that specific issue. As someone on the list already pointed out, the client cannot guess a valid Digest Authentication header. It's one main strength of digest authentication that the client is not able to do this. Otherwise an attacker might be able to use a replay attack. I'm not sure however what a server will do upon seeing a nonsense Authenticate header from the client. Will it always send a challenge back? (Unfortunately we cannot make this a requirement in WebDAV since this belongs in another RFC). //Stefan
Received on Wednesday, 18 September 2002 04:32:51 UTC