RE: Logout

Joris Dobbelsteen (joris.dobbelsteen@mail.com)
Mon, 8 Jan 2001 19:03:32 +0100
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jeff.Hodges@kingsmountain.com: "Re: Response to "On the use of HTTP as a Substrate for Other"
Previous message: Joris Dobbelsteen: "RE: Logout"
This is a multi-part message in MIME format.

------=_NextPart_000_0015_01C079A5.B13F8A30
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

>-----Original Message-----
>From: Scott Lawrence [mailto:slawrence@virata.com]
>Sent: Monday, 8 January 2001 18:33
>To: Joris Dobbelsteen
>Cc: WWW WG (E-mail)
>Subject: Re: Logout
>
>
>Joris Dobbelsteen wrote:
>
>
>> Basic is completely insecure. Digest has some security hazards:
>> Server sends a 'key' to use with hashing. When the same 
>'key' is used,
>> the hashed password captured can be reused.
>> Also doesn't digest authentication (nor basic authentication) provide
>> data integrity.
>
>Actually, the Digest spec provides a content integrity mechanism 
>(qop=auth-int).  It does not protect most of the header information 
>(because of compatibility problems with proxies), but does protect 
>and authenticate the message body by including a hash of the message 
>body as an input to the response hash.
>
Wasn't aware of the hash included of the message body.

>As for alternative schemes that provide better security without 
>SSL/TLS, there was a very good spec "The Secure HyperText Transfer 
>Protocol" that just didn't get any traction with implementors:
>
>http://www.ietf.org/rfc/rfc2660.txt
>
>
I will read RFC2660....


- Joris

------=_NextPart_000_0015_01C079A5.B13F8A30
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFvzCCAo4w
ggH3oAMCAQICAwPMRjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
MC44LjMwMB4XDTAwMTIxNDE0MjQxN1oXDTAxMTIxNDE0MjQxN1owTDEfMB0GA1UEAxMWVGhhd3Rl
IEZyZWVtYWlsIE1lbWJlcjEpMCcGCSqGSIb3DQEJARYaam9yaXMuZG9iYmVsc3RlZW5AbWFpbC5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPpPaMS0YzMXlTJrdpGgxLk0gNE4sgRsYCox
gkpVo6QYVvjDIVWxT7yQv7IgdUKQbXrr7zKBO3+1xoxlmRnIV+6sUd//1b5RSRo8crv6DtfyucB8
WAiQZ4YY4c1sgCGrmWraUk3lWho9vfidkeXJY5cD5tearj9895Aq0PjKkGbPAgMBAAGjNzA1MCUG
A1UdEQQeMByBGmpvcmlzLmRvYmJlbHN0ZWVuQG1haWwuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZI
hvcNAQEEBQADgYEANbAztZ99D8bAIZB5sGAUX5YuXdhQrs1Iq14gNG0VHcfxO5Xu+FtQ5mZq3pp8
34nIYvR74E2v4fTRnomyImxBUZdr/srONKU//zTkVwlht95xB+957BjxK86ulXx/OiTgbgPnP7+T
ii2il8W1KPhmYI6NDqMsko97zJwGs1DoyFgwggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUA
MIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv
d24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
cnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzAp
BgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAw
WhcNMDIwODI5MjM1OTU5WjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES
MBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRl
IFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz6
3K737nRvMLwzkH/5NHGgo22Y8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzp
q+AYA6h8Q0JQUYeDPPA5tJtUihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAg
pB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV
HQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQf
uIdjdBxtt88aU5FL4c3mONntUPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX
7xe21Yibt6KIGu05Wzl9NPy2lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCB
kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD
Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMDzEYwCQYFKw4DAhoFAKCCAWUwGAYJ
KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwMTA4MTgwMzMxWjAjBgkq
hkiG9w0BCQQxFgQUc3Kuwcafwol3u7SKA2nJ/6nOYKQwWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYI
KoZIhvcNAgUwgasGCSsGAQQBgjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
MC44LjMwAgMDzEYwDQYJKoZIhvcNAQEBBQAEgYDJsR2NGsUPLLvPHScpTy30me/Yb6ZrpOTTh35o
JiZcIF/kK5HyKgy/GKJgvOtQbEQaXusMWV3MEgvafxptFJUj0SjCf34oh9Vyx6Sw+sBEE9CMFUL7
q4xF5pdcTx85BQaW1fcm9LAbkivX1yE7+b2ITod0bzvhWT+8SX2UTQ/znwAAAAAAAA==

------=_NextPart_000_0015_01C079A5.B13F8A30--
Next message: Jeff.Hodges@kingsmountain.com: "Re: Response to "On the use of HTTP as a Substrate for Other"
Previous message: Joris Dobbelsteen: "RE: Logout"