Re: Authentication

[John Panzer <jpanzer@xxxxxxx>]

Joe Gregorio wrote:

> ...
>
> How should authenication and security be handled? Are Basic and Digest 
> good enough?

Okay, I'll bite...

Basic auth sends passwords in the clear; unfortunately this is something 
my service (AOL Journals) isn't able to support due to the major 
security issues.  Digest auth, or Basic auth+SSL, are probably 
good-enough minimums for handling authentication at the HTTP transport 
level. 

Digest authentication does not send passwords in the clear, has some 
provision for protection against replay attacks and message 
modification, should work with proxies and caches if desired, and is 
pretty well documented: http://www.ietf.org/rfc/rfc2617.txt . 

However, I've heard a concern that some blog tools can't require that 
third party hosting providers have Digest auth enabled on their 
servers.  So it might not be possible to require this across the board.  
I'd love to see a discussion of this; is it really an issue?

Apparently Basic auth + SSL is more easily achievable in those 
situations.  My only concern with this is that it's a bit like swatting 
a fly with a sledgehammer.  On the other hand, if we want to hide the 
content as well as authenticating, it's a good way to go.  This would 
require SSL libraries on both client (or gateway) and server.

So: I think Basic over https and Digest are both good enough, and at 
least one should be required.

(Finally, and this would really just be icing, it'd be nice if whatever 
scheme is picked could accomodate Kerberos session tickets 
[http://www.ietf.org/rfc/rfc1510.txt], or be extended to do so in the 
future.)

John  Panzer
AOL Time Warner