>Digest, per se, doesn't require clear text password storage. >Squids supplied helper uses cleartext, but that is simply -a- >implementation. Squid itself never needs the cleartext password.
Technically, yes - digest auth does not require the password to be stored in cleartext. However, as you pointed out, the Squid-supplied helper does, and I know of no other digest helper for Squid. Furthermore, since knowledge of the clear text password is needed to verify the digest sent, the password would need to be stored either in clear text or reversible encryption - unless I completely misunderstand how digest auth works (which is also quite possible). Digest could be improved upon by using a hash of the password instead of the password itself. Of course, there's something of a chicken- and-egg problem here: proxy and web servers won't support it until browsers support it, and browsers won't support it until proxy and web servers support it. Additionally, since digest auth is an RFC, someone would have to draft another RFC. So even if it is a great idea, it can't be implemented quickly (if at all). Adam
