[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocol Authentication (was Re: Collection convergence?)

To: Robert Sayre <mint@xxxxxxxxxxxxxxx>
Subject: Re: Protocol Authentication (was Re: Collection convergence?)
From: Joe Gregorio <joe.gregorio@xxxxxxxxx>
Date: Fri, 18 Mar 2005 16:07:49 -0500
Cc: John Panzer <jpanzer@xxxxxxx>, Tim Bray <Tim.Bray@xxxxxxx>, Atom Protocol <atom-protocol@xxxxxxx>, Jason Shellen <shellen@xxxxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=JtyFF1EUwjFd+j0j/tnFpbIDR8aiOLM6fWT72rTsrA+hTP8PkPTQuYlACrLS76h9zqw9Qyhsaek65ZXL/6neyKiaWZpiccJYv7Co8yu24O3/Xdcij9vXrULAucjrkmn8vUl2t/s60yIJIE58QxE77qZPXTSe5PrLi4x5HRDxL+M=
In-reply-to: <>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <> <> <> <> <> <> <> <> <> <>
Reply-to: Joe Gregorio <joe.gregorio@xxxxxxxxx>
Sender: owner-atom-protocol@xxxxxxxxxxxx

On Fri, 18 Mar 2005 15:32:35 -0500, Robert Sayre <mint@xxxxxxxxxxxxxxx> wrote:
> Joe Gregorio wrote:
> 
> > Now, mandating that a 'client' needs to be able to interact with a
> > server using Digest is something competely different. That *may* be
> > a way to increase interopability. It seems that that is the tact
> > that WebDAV chose, unless I am reading the spec incorrectly:
> 
> You read that correctly, but the WebDAV folks consider it a mistake.
> 
>    "RFC2518 advocates Digest Authentication. There was some concern that
>     although it  doesnt transmit the password in the clear, the password
>     or password  equivalent still has to reside in a file on the server
>     basically in the  clear. They cant rely on that file  being secure
>     and felt that Basic Authentication over SSL or other transport  level
>     security was a better option."
> 
>       -- http://www.webdav.org/wg/rfcdev/issues.htm

That's interesting since Digest is 
designed to allow the server to *not* have to store
the plaintext password. That is, in the nomenclature
of RFC 2617, the value H(A1) is constant, being a hash
of :

  A1       = unq(username-value) ":" unq(realm-value) ":" passwd

Which means that H(A1) can be stored locally and not the password.
Of course, if someone walks off with a copy of H(A1) then they can 
get access to your files, but they won't know your password. So in short,
I think I've talked myself into agreeing with their assessment.

    -joe

-- 
Joe Gregorio        http://bitworking.org

References:
- Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Re: Collection convergence?
  - From: Tim Bray
- Re: Collection convergence?
  - From: Robert Sayre
- Protocol Authentication (was Re: Collection convergence?)
  - From: John Panzer
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Robert Sayre
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: John Panzer
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Robert Sayre
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Joe Gregorio
- Re: Protocol Authentication (was Re: Collection convergence?)
  - From: Robert Sayre

Prev by Date: Re: issue: Collection Document Fidelity
Next by Date: Re: SOAP 1.2?
Previous by thread: Re: Protocol Authentication (was Re: Collection convergence?)
Next by thread: Re: Collection convergence?
Index(es):
- Date
- Thread