Re: Straw-man charter for http-bis

[Henrik Nordstrom <henrik@henriknordstrom.net>]

sön 2007-06-10 klockan 14:10 -0700 skrev Lisa Dusseault:



> Digest has a bad reputation particularly among Web App developers for
> a number of reasons, some inherent to the design and specification,
> some stemming from implementation and deployment choices.

Nearly all is implementation.

> http://www.xml.com/pub/a/2003/12/17/dive.html:  "most web hosting
> providers don't turn on digest authentication (it requires an Apache
> module that is not on by default). Even if Bob's ISP had

Implementation.

> http://blogs.msdn.com/drnick/archive/2006/05/12/understanding-http-authentication.aspx: "Digest authentication requires the use of Windows domain accounts.

Plain untrue, unless you restrict your view of Digest to the Microsoft
IIS implementation in which case it's implementation.


> http://www.imc.org/atom-syntax/mail-archive/msg06103.html: " (1) Some
> web-servers remove the WWW-Authenticate header before passing it to a
> CGI program."

Implementation. Well, CGI is not the proper interface to implement
authentication schemes, but it's implementation in the sense that web
servers is a bit poor in allowing applications to set the authentication
requirements in a sensible manner. But it is fully doable with only a
little effort.

> http://www.imc.org/atom-protocol/mail-archive/msg00836.html: "do all
> digest and WSSE implementations require server-side access to
> clear-text passwords or is that just a weakness of the implementations
> I looked at?"

No, the realm specific H(A1) is required.

> http://www.imc.org/atom-syntax/mail-archive/msg00139.html:  "I'm a
> small site, security is very much a concern and my host does not
> provide Digest and won't do so." 

Implementation.

> Thus it's hard for an administrator to use today's Web server software
> and Digest authentication, and still have an application-specific
> database of usernames/passwords.  The server software gets in the way
> -- it may even be easier for the Web App developer to implement
> something non-standard like WSSE than have to rely on built-in
> functions.

Thats all implementation. Web servers don't make it easy for
applications to use/control HTTP authentication. So applications don't
use it.

CGI is not the proper interface for HTTP authentication. It's the web
servers responsibility to handle the fine details of HTTP (including
authentication) and the CGIs responsibility to provide content &
applications.

> i18n is also a problem:
> http://www.agileprogrammer.com/eightytwenty/archive/2006/05/04/14280.aspx

Yes, this is a specifications problem inherent to both Basic and Digest,

> And for humour on the situation:
> http://bitworking.org/news/Problems_with_HTTP_Authentication_Interop

Yes, there is lots of broken Digest implementations around either not
reading the specs, not caring to implement anything but the absolute
minimum required for a conditionally compliant implementation, not
testing their implementation, or sticking to old specs considered
obsolete and broken. And pressure from users that things must work even
with the broken implementations as the users consider the broken browser
implementations unfixable. Don't know how many times I have asked users
to file a bug report with vendor X and always receive the same answer
"no, it's of no use. we must work around the bug somehow".

Regards
Henrik