Re: potential security holes in digest authorization

Chuck Shotton (cshotton@biap.com)
Mon, 17 Jul 1995 10:01:47 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John Franks: "Re: potential security holes in digest authorization"
Previous message: Dave Kristol: "Re: potential security holes in digest authorization"
Maybe in reply to: Brad Barber: "potential security holes in digest authorization"
Next in thread: John Franks: "Re: potential security holes in digest authorization"
Reply: John Franks: "Re: potential security holes in digest authorization"

>
>Fair enough.  How about using the server-name in place of realm, then?
>(After all, it's possible two webmasters might choose the same realm
>name on different servers, isn't it!) That would render the same
>username/password combination unique on different machines.  So the
>stored hash would be:
>        H(<username> : <server-domain-name> : <password>)

This isn't any better, given that one user may have multiple occurences of
the same name and password for different realms. (It happens!) The best
would be a combination of host domain name and realm name.

--_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
Chuck Shotton                               StarNine Technologies, Inc.
chuck@starnine.com                             http://www.starnine.com/
cshotton@biap.com                                  http://www.biap.com/
                 "Shut up and eat your vegetables!"

Next message: John Franks: "Re: potential security holes in digest authorization"
Previous message: Dave Kristol: "Re: potential security holes in digest authorization"
Maybe in reply to: Brad Barber: "potential security holes in digest authorization"
Next in thread: John Franks: "Re: potential security holes in digest authorization"
Reply: John Franks: "Re: potential security holes in digest authorization"