[351] in WWW Security List Archive
Re: The Digest authentication scheme
daemon@ATHENA.MIT.EDU (Albert Lunde)
Thu Jan 26 04:32:43 1995
To: www-security@ns2.rutgers.edu
Date: Wed, 25 Jan 1995 23:53:46 -0600 (CST)
In-Reply-To: <9501251549.AA18552@hopf.math.nwu.edu> from "John Franks" at Jan 25, 95 09:49:52 am
From: Albert-Lunde@nwu.edu (Albert Lunde)
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
John Franks wrote...
> Here are some thoughts on the Digest authentication scheme proposed
> by Philip Hallam-Baker. [...]
I'm impressed, as John Franks seems to be, by the greater complexity
of Phillip's scheme, and the non-obviousness of some of the details.
But I also think Phillip makes a reasonable case (especially in his
followup, where he motivates some of the details) for his design
on cryptographic grounds.
If I'm reading the description correctly one motivation for doing
a digest on the message body is to make it easier to use with
a "security enhancement" gateway (where digesting is replaced with
encryption encapsulation ??) and also to protect the integrity
of the message against man-in-the-middle attacks.
This does go a bit beyond the merits of simplemd5 which seem mainly
to stop password sniffing.
I'd favor the suggestion of making the digest of the body optional
so folks could make the cost/security tradeoffs as seemed best.
I'm also happy to see the various authors talking ;) ... Even if
we can't get a single cryptographic scheme, I'd like to see
convergence on extension negotation and non-crytographic details
for the sake of cleanness in the HTTP standards.
(HTTP extensions have an interesting tendency to spawn new headers ;)
( X-Content-Smell: nirvana; charset=Multicode; ISO=GWM ;) ;)
Thanks to all for their efforts.
--
Albert Lunde Albert-Lunde@nwu.edu
