- From: Werner Baumann <werner.baumann@onlinehome.de>
- Date: Sat, 23 Jun 2007 12:49:50 +0200
- To: Wilfred Nilsen <wilfrednilsen@hotmail.com>
- CC: w3c-dist-auth@w3.org
On http://barracudaserver.com/products/BarracudaDrive/tutorials/mini_redirector.html there seems to be a major error concerning security and authentication. In section *Security* it says: 'It is the client that decides on the authentication method and Windows Mini-Redirector by default uses Digest Authentication.' It is the *server* that decides whether it accepts authentication or not. This includes the authentication method. In HTTP the server sends a 401-response. This includes the authentication method to use. With Basic Authentication the client may send the credentials in advance, without waiting for a 401-response. But it is still up to the server to accept or not. With Digest Authentication this is not possible. It is allways the server that will start the authentication diolog. There is also a clear MUST statement in WebDAV RFC 2518: 'Since Basic authentication for HTTP/1.1 performs essentially clear text transmission of a password, Basic authentication MUST NOT be used to authenticate a WebDAV client to a server unless the connection is secure.' So by default, if the connection is not TLS-secured, a server MUST NOT accept Basic Authentication, and it MUST NOT ask the client for Basic Authentication. The server may offer a configuration option to the server administrator, to allow Basic Authentication on non-TLS-connections. In this case it is up to the *server*-administrator, to decide whether the network is secure or not. Cheers Werner Wilfred Nilsen wrote: > > We have prepared a tutorial for users that would like to map a Windows > Drive to a WebDAV server using Mini-Redirector. The documentation is > designed for our server, but the problems we mention are generic > regarding the Mini-Redirector. > > http://barracudaserver.com/products/BarracudaDrive/tutorials/mini_redirector.html > > > I would like some comments on this document as to the accuracy of our > Mini-Redirector statements. > > Regards, > Wilfred > > _________________________________________________________________ > MSN Music http://music.msn.no Finn din favorittmusikk blant nesten 1 > million låter > > > >
Received on Saturday, 23 June 2007 20:59:39 UTC