Re: potential security holes in digest authorization

Dave Kristol (dmk@allegra.att.com)
Mon, 17 Jul 95 12:59:00 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Koen Holtman: "Report: Problems with the Expires header."
Previous message: John Franks: "Re: potential security holes in digest authorization"
Maybe in reply to: Brad Barber: "potential security holes in digest authorization"
Next in thread: Phillip M. Hallam-Baker: "Re: potential security holes in digest authorization"

John Franks <john@math.nwu.edu> said:
  [I said:]
  > > I disagree with the premise.  I wouldn't encode the domain name that
  > > the user accessed to reach my server.  I would encode the name that the
  > > server uses for itself, for example the name set by NCSA HTTPD
  > > ServerName directive.
  > 
  > How is the client supposed to know this?  You'll have to make further
  > additions to the protocol.  Maybe I am confusing who said what but
  > didn't you also complain that encoding the hostname would make it
  > impossible to move the password file to a new host?  This is a good
  > point and suggests a realm containing the enterprise name, but not the
  > host name -- something like "group@Enterprise_Name" e.g.
  > "Engineering@ATT_Bell_Labs".
You're right -- the client doesn't know the name.  Stupid idea on my part.
[...]

Dave Kristol

Next message: Koen Holtman: "Report: Problems with the Expires header."
Previous message: John Franks: "Re: potential security holes in digest authorization"
Maybe in reply to: Brad Barber: "potential security holes in digest authorization"
Next in thread: Phillip M. Hallam-Baker: "Re: potential security holes in digest authorization"