On 2/23/06, James Holderness <[EMAIL PROTECTED]> wrote: > > Actually, looking at RFC2617 it basically says as much: "Because the server > need only use the hash of the user credentials in order to create the A1 > value, this construction could be used in conjunction with a third party > authentication service so that the web server would not need the actual > password value."
Do any such services exist? See RFC 2617, section 4.13 Storing passwords. "The security implications of this are that if this password file is compromised, then an attacker gains immediate access to documents on the server using this realm." So anything the API can do the attacker can do. Also, you have to design your password storage to allow for this ahead of time, so many servers *can't* implement Digest. -- Robert Sayre "I would have written a shorter letter, but I did not have the time."
