[1357] in WWW Security List Archive
Digest Authentication
daemon@ATHENA.MIT.EDU (Larry Masinter)
Fri Dec 29 19:15:01 1995
To: www-security@ns2.rutgers.edu
CC: ams@eit.com
From: Larry Masinter <masinter@parc.xerox.com>
Reply-to: http-wg@cuckoo.hpl.hp.com
Date: Fri, 29 Dec 1995 13:54:14 PST
Errors-To: owner-www-security@ns2.rutgers.edu
The Digest Access Authentication mechanism has been resubmitted to the
HTTP working group for consideration for inclusion in HTTP/1.1. The
boundary between HTTP-WG and WTS-WG is fuzzy in this area, but I would
like to make sure that members of WTS-WG and the Security Area have an
adequate chance to review and comment on security-related items in
HTTP-WG documents.
Does anyone believe that HTTP-WG should *not* proceed with digest-aa?
================================================================
Title : A Proposed Extension to HTTP : Digest Access
Authentication
Author(s) : J. Hostetler, J. Franks, P. Hallam-Baker,
A. Luotonen, E. Sink, L. Stewart
Filename : draft-ietf-http-digest-aa-02.txt
Pages : 6
Date : 12/20/1995
The protocol referred to as "HTTP/1.0" includes specification for a Basic
Access Authentication scheme. This scheme is not considered to be a secure
method of user authentication, as the user name and password are passed
over the network in an unencrypted form. A specification for a new
authentication scheme is needed for future versions of the HTTP protocol.
This document provides specification for such a scheme, referred to as
"Digest Access Authentication". The encryption method used is the RSA Data
Security, Inc. MD5 Message-Digest Algorithm [3].
