Re: potential security holes in digest authorization

Dave Kristol (dmk@allegra.att.com)
Mon, 17 Jul 95 11:06:21 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Albert Lunde: "Re: potential security holes in digest authorization"
Previous message: John Franks: "Re: potential security holes in digest authorization"
Maybe in reply to: Brad Barber: "potential security holes in digest authorization"
Next in thread: Albert Lunde: "Re: potential security holes in digest authorization"

cshotton@biap.com (Chuck Shotton) said:
  > >[Dave Kristol said:]
  > >Fair enough.  How about using the server-name in place of realm, then?
  > >(After all, it's possible two webmasters might choose the same realm
  > >name on different servers, isn't it!) That would render the same
  > >username/password combination unique on different machines.  So the
  > >stored hash would be:
  > >        H(<username> : <server-domain-name> : <password>)
  > 
  > This isn't any better, given that one user may have multiple occurences of
  > the same name and password for different realms. (It happens!) The best
  > would be a combination of host domain name and realm name.

True enough.  But encoding the realm name (along with host domain name)
in the stored string would return me to the dilemma I had before:  what
if I need/want to change domain name?  The entire password file becomes
invalid.

Dave Kristol

Next message: Albert Lunde: "Re: potential security holes in digest authorization"
Previous message: John Franks: "Re: potential security holes in digest authorization"
Maybe in reply to: Brad Barber: "potential security holes in digest authorization"
Next in thread: Albert Lunde: "Re: potential security holes in digest authorization"