[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocol Authentication (was Re: Collection convergence?)

To: Robert Sayre <mint@xxxxxxxxxxxxxxx>
Subject: Re: Protocol Authentication (was Re: Collection convergence?)
From: Joe Gregorio <joe.gregorio@xxxxxxxxx>
Date: Fri, 18 Mar 2005 15:08:13 -0500
Cc: John Panzer <jpanzer@xxxxxxx>, Tim Bray <Tim.Bray@xxxxxxx>, Atom Protocol <atom-protocol@xxxxxxx>, Jason Shellen <shellen@xxxxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=J2m8Ov1sz5aWmQSNMCPafZHyvYkBAuL6T1WWliYSDwUvrLpqHUxz5VCtu4nAYYCFZSOvGRo/Y3xfqbPWARI95Gf9DqZZEa5Jhn/TIXqDeanbrQ4OP9RHarbBoEjlNojZ2lT0lwdy1UvoFl+QwQP4aKPz+rO80g8NEgfsxIXHlqg=
In-reply-to: <>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <> <> <> <> <> <> <> <> <> <>
Reply-to: Joe Gregorio <joe.gregorio@xxxxxxxxx>
Sender: owner-atom-protocol@xxxxxxxxxxxx

On Thu, 17 Mar 2005 17:50:38 -0500, Robert Sayre <mint@xxxxxxxxxxxxxxx> wrote:
> 
> John Panzer wrote:
> 
> > Note that the draft spec doesn't prohibit doing any of this.  It just
> > says that you also have to support Digest Auth, whatever else you do.
> > I'm not sure whether Blogger intends to support the spec once it's
> > finalized; adding Digest to BASIC auth would be pretty easy.  Has anyone
> > asked Jason Shellen?  (CCd).
> 
> Steve and Greg have both posted in the past that they can't and won't
> support Digest. Dare has also objected to the requirement.
> 
> >
> >>>
> >>> I believe we do need a "greatest common denominator" authentication
> >>> specification for interoperability, but could be convinced otherwise.
> >>>
> >>
> >> I wish we could do that, but we can't, IMHO.
> >>
> > OK, that's your opinion; my opinion is the opposite.  You've presented
> > one case (Blogger) that's using something almost compliant with the
> > draft spec, and mentioned a few hypothetical clients that you think
> > won't follow the spec.  I'm still not convinced.  Maybe I'm an incurable
> > optimist.
> 
> I think this is not our layer. The real world will shake out industry
> standard auth schemes pretty quickly, I imagine. Deciding security
> requirements for other people is really tough, IMHO.

+1 We should just state that *if* authentication is required 
    on the server then the implementation should consider the following 
    issues... blah blah no plain text passwords blah blah.

Mandating Digest for the server is problematic for several reasons:

1. How soon until it is no-longer considered as insecure as
    Basic? MD5 is broken and digest itself is already open
    to man in the middle attacks. There is no way to predict
    how quickly an auth scheme will go out of favor, how long
    was SHA-1 supposed to last?

2. It is also problematic in situations where the
    service may not be protected, for example, a wiki.

Now, mandating that a 'client' needs to be able to interact with a
server using Digest is something competely different. That *may* be
a way to increase interopability. It seems that that is the tact
that WebDAV chose, unless I am reading the spec incorrectly:

    http://www.webdav.org/specs/rfc2518.html#rfc.section.17.1

    -joe

-- 
Joe Gregorio        http://bitworking.org

Follow-Ups:
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Robert Sayre

References:
- Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Re: Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Re: Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Protocol Authentication (was Re: Collection convergence?)
  - From: John Panzer
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Robert Sayre
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: John Panzer
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Robert Sayre

Prev by Date: SOAP 1.2? (was: issue: SOAP requirements)
Next by Date: Re: SOAP 1.2? (was: issue: SOAP requirements)
Previous by thread: Re: Protocol Authentication (was Re: Collection convergence?)
Next by thread: Re: Protocol Authentication (was Re: Collection convergence?)
Index(es):
- Date
- Thread