On Sat, 2008-10-25 at 13:33 +0200, Oleg Kalnichevski wrote: > On Fri, 2008-10-24 at 13:45 +0100, sebb wrote: > > On 24/10/2008, Lovette, Steve <[EMAIL PROTECTED]> wrote: > > > Sebbaz > > > From what I have read the use of algorithms that have been shown to be > > > breakable become unacceptable. There is literature on the web about > > > this. From reading the government NIST web site and the government STIGs > > > that recommend only the SHA-x algorithms to be used in sensitive > > > applications. MD5 is not a government approved algorithm to be used in > > > hashing functions where encryption is involved. > > > > OK, but so what? > > > > > That said your point about HTTP client may well be the best counter > > > point. Since HTTP client runs on the client and the client is always > > > suspect then perhaps this is a sufficient argument. > > > > I think you still misunderstand what HC is for. > > > > It is irrelevant where HC runs; the point is that it is a client > > library, i.e. it talks to servers. > > > > If the server needs MD5 for something, then HC will use that. > > HC does not use MD5 for its own purposes. > > > > Sebastian, et al > > I took a brief look at the DIGEST authentication scheme implementation > in HttpClient 4.0 and it appears HttpClient will reject a challenge > unless the specified digest algorithm is either MD5 or MD5-sess. As far > as I can tell these are two algorithms mentioned in RFC 2617. There is > no mentioning of SHA-x algorithms in the spec. However, it would > certainly make sense to ensure HttpClient can support alternative > digests, if the server requests an algorithm other than MD5 or MD5-sess. > > Steve, > > If you think the present implementation of DIGEST authentication is not > secure enough, feel free to open a JIRA for this issue > > https://issues.apache.org/jira/browse/HTTPCLIENT > > Oleg >
DigestScheme can now use an arbitrary digest algorithm requested by the target server (such SHA) as long as that algorithm is supported by the Java runtime Oleg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
