Re: Some comments on Digest Auth

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Henrik Frystyk Nielsen: "Mandatory draft first revision - please comment!"
• Previous message: Scott Lawrence: "Re: Has the Content-Length issue been resolved?"
• Maybe in reply to: Yaron Goland: "Some comments on Digest Auth"
• Next in thread: Ben Laurie: "Re: Some comments on Digest Auth"

Dave Kristol wrote:
> 
> Paul Leach wrote:
>   > > [DMK:]
>   > > So let me hark back to the discussion of a few weeks ago.  Let's not
>   > > try to make Digest do something it was not intended to do.  Let's
>   > > hold replay-proof Digest for digest-ng discussions.
>   > >
>   > No.
>   >
>   > A replayable Digest is just as bad as Basic.
> 
> Let me say the same thing differently:  A replayable Digest is no worse
> than Basic.  And it has the merit that it eliminates cleartext passwords.
> That's all we were trying to do.

A replayable Digest is by no means as bad as Basic:

1. The replay is likely to be time-limited in any sensible
implementation, unlike in Basic.

2. The replay is only applicable to a single URL, unlike Basic.

3. The attacker is likely to have already seen the content, in the
process of stealing the material necessary for the replay.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

• Next message: Henrik Frystyk Nielsen: "Mandatory draft first revision - please comment!"
• Previous message: Scott Lawrence: "Re: Has the Content-Length issue been resolved?"
• Maybe in reply to: Yaron Goland: "Some comments on Digest Auth"
• Next in thread: Ben Laurie: "Re: Some comments on Digest Auth"