RE: Need feedback on new Mini-Redirector tutorial from Alex Jalali on 2007-06-23 (w3c-dist-auth@w3.org from April to June 2007)

From: Alex Jalali <alex@ubudesign.com>
Date: Sat, 23 Jun 2007 15:44:19 -0700
To: "'Werner Baumann'" <werner.baumann@onlinehome.de>, "'Wilfred Nilsen'" <wilfrednilsen@hotmail.com>
Cc: <w3c-dist-auth@w3.org>
Message-ID: <000901c7b5e8$09ff60c0$0405a8c0@THINKY>

What I've noticed is that for the OPTION method only the mini-redirector
does not respond to a Digest request or anything else. For PROPFIND I think
it responds with credentials only after a second server's unauthorized
response.

-----Original Message-----
From: w3c-dist-auth-request@w3.org [mailto:w3c-dist-auth-request@w3.org] On
Behalf Of Werner Baumann
Sent: Saturday, June 23, 2007 3:50 AM
To: Wilfred Nilsen
Cc: w3c-dist-auth@w3.org
Subject: Re: Need feedback on new Mini-Redirector tutorial

On 
http://barracudaserver.com/products/BarracudaDrive/tutorials/mini_redirector
.html 
there seems to be a major error concerning security and authentication. 
In section *Security* it says:
'It is the client that decides on the authentication method and Windows 
Mini-Redirector by default uses Digest Authentication.'

It is the *server* that decides whether it accepts authentication or 
not. This includes the authentication method.
In HTTP the server sends a 401-response. This includes the 
authentication method to use. With Basic Authentication the client may 
send the credentials in advance, without waiting for a 401-response. But 
it is still up to the server to accept or not. With Digest 
Authentication this is not possible. It is allways the server that will 
start the authentication diolog.

There is also a clear MUST statement in WebDAV RFC 2518:
'Since Basic
    authentication for HTTP/1.1 performs essentially clear text
    transmission of a password, Basic authentication MUST NOT be used to
    authenticate a WebDAV client to a server unless the connection is
    secure.'
So by default, if the connection is not TLS-secured, a server MUST NOT 
accept Basic Authentication, and it MUST NOT ask the client for Basic 
Authentication. The server may offer a configuration option to the 
server administrator, to allow Basic Authentication on 
non-TLS-connections. In this case it is up to the 
*server*-administrator, to decide whether the network is secure or not.

Cheers
Werner

Wilfred Nilsen wrote:
> 
> We have prepared a tutorial for users that would like to map a Windows 
> Drive to a WebDAV server using Mini-Redirector. The documentation is 
> designed for our server, but the problems we mention are generic 
> regarding the Mini-Redirector.
> 
>
http://barracudaserver.com/products/BarracudaDrive/tutorials/mini_redirector
.html 
> 
> 
> I would like some comments on this document as to the accuracy of our 
> Mini-Redirector statements.
> 
> Regards,
> Wilfred
> 
> _________________________________________________________________
> MSN Music http://music.msn.no Finn din favorittmusikk blant nesten 1 
> million låter
> 
> 
> 
>

Received on Saturday, 23 June 2007 22:44:41 UTC