Paul Hoffman asked me to reprise my remarks on HTTP Authentication
options from IETF 66 on the mailing list, so here goes.
At the present moment, there are three HTTP authentication schemes
in reasonably wide use:
- Basic raw passwords in the HTTP headers.
- Digest a
Julian Reschke [EMAIL PROTECTED] wrote:
thanks for the good summary (with which I agree).
Obviously it's a good idea for IETF specs that are based on HTTP to
talk about authentication options. What's really not clear to me why
it is expected that this exercise should be repeated for each
On 7/17/06, Eric Rescorla [EMAIL PROTECTED] wrote:
In most such systems, the passwords are stored in the password
database as a one-way hash of the password.
Systems that use forms will often do this as well...
IMPLEMENTATION ISSUES
I'm given to understand that there are ways in which
Doh. Fat-fingered my reply Resending to the list.
On 7/17/06, Eric Rescorla [EMAIL PROTECTED] wrote:
In most such systems, the passwords are stored in the password
database as a one-way hash of the password.
Systems that use forms will often do this as well...
Yes, the heading
On 7/17/06, Eric Rescorla [EMAIL PROTECTED] wrote:
If by existing auth database you mean the basic or form database,
this is generally correct--though one could in fact implement
an auth database that would work for both.
Right. But some of our server implementers couldn't implement it if
Robert Sayre wrote:
Some implementations respect the charset
parameter specified in SASL Digest (RFC 2831). Others use the encoding
of the page. No one is quite sure what IE does.
From Microsoft's SSP docs [1]:
Digest SSP uses the charset directive for both HTTP and SASL mode. This
Added atom-protocol to the Cc: line
Robert Sayre [EMAIL PROTECTED] wrote:
On 7/17/06, Eric Rescorla [EMAIL PROTECTED] wrote:
I'm not familiar with what HTTP implementations do, but I'll note
that SIP implementations will do auth-int.
Mozilla doesn't do it. Apache (mod_auth_digest)
On 7/17/06, Eric Rescorla [EMAIL PROTECTED] wrote:
Right. My point was merely that it's doable as a matter of
programming.
That's debatable, from an HTTP server's perspective, because the
server must check (and temporarily store) the whole request before it
can tell if the client knows the
Robert Sayre [EMAIL PROTECTED] writes:
On 7/17/06, Eric Rescorla [EMAIL PROTECTED] wrote:
Right. My point was merely that it's doable as a matter of
programming.
That's debatable, from an HTTP server's perspective, because the
server must check (and temporarily store) the whole request