Re: PaceSecurityServices & Digest auth

[Joe Gregorio <joe.gregorio@xxxxxxxxx>]

On Wed, 30 Jun 2004 18:44:40 -0700, Ezra Cooper <ezra@xxxxxxxxxxxx> wrote:
> To address the third issue, I'd like to propose some alternative
> "algorithms" (in the sense of RFC 2617) for Digest auth. In particular
> I'd like to offer new functions to take the role of the H and KD
> functions used in RFC 2617, sections 3.2.2.1 and 3.2.2.2. I'm happy to
> propose these in a separate RFC, or help work them into the Atom spec.
> I do believe that they would have usefulness outside of Atom, and yet
> my immediate goal is to achieve interoperable Atom implementations.

Agreed. I believe the digest mechanism Mark and I  outlined does have the 
capability to handle the problems you have outlined. The initial
challenge from the server could indicate the desired hashing 
mechanism via 'algorithm'. I believe settling on just 3 (MD5, SHA1, and 
crypt with a given salt) would probably cover the vast majority of all cases.
The ability to handle different hashing schemes in Digest is present in the
spec but not implemented.

One thing I would like to stress is that the authentication
outlined in [1] is nothing more that RFC 2617 Digest with
some headers renamed to get around Apache's handling 
of authentication based headers and CGIs.  

In addition I would like to see implementations that 
used 'auth-int', yet another nice
feature of digest to prevent man in the middle
attacks that is currently under implemented
in digest (read: not at all).

    Thanks,


[1]  http://bitworking.org/news/New_AtomAPI_Implementation_Release2

> 
> Thanks,
> Ezra
> 
> References
> [1] http://bitworking.org/news/New_AtomAPI_Implementation_Release2
> 
>