[4646] in WWW Security List Archive
Re: SecureID alternatives?
daemon@ATHENA.MIT.EDU (Dave Kristol)
Tue Mar 4 12:47:12 1997
Date: Tue, 4 Mar 97 09:51:38 EST
From: dmk@research.bell-labs.com (Dave Kristol)
To: vin@shore.net
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Vin McLellan <vin@shore.net> wrote:
> [...]
> Anyone know about DAA??? I'm intrigued by rfc 2069, which offers
> Digest Access Authenticaton (DAA) to replace HTTP 1's basic authentication
> -- particularly it's optional second digest (which would offer a continuous
> authentication, protecting against session hijacking and guaranteeing the
> integrity of a downloaded html page.)
I wouldn't put *too* much trust in the second digest. Because a
man-in-the-middle could replace the digest= field with one of its own,
the MITM could replace the content and adjust digest=. So this digest
provides no protection against meddling. It merely assures that the
content matches the digest. Still, that can be useful, especially for
PUT/POST, where (assuming *no* meddling) you want to be sure the
content reaches the server correctly.
Dave Kristol
