Re: Straw-man charter for http-bis

[Lisa Dusseault <lisa@osafoundation.org>]

On Jun 8, 2007, at 3:34 PM, Henrik Nordstrom wrote:

> In what way do not Digest fit that? (putting aside the security  
> concerns
> regarding Digest use of MD5 and how)
>
> What is missing for Digest is some standard means for esablishing the
> password without exchaning the password, but it's possible to do such
> exchange, at least to a reasonable level.

Digest has a bad reputation particularly among Web App developers for  
a number of reasons, some inherent to the design and specification,  
some stemming from implementation and deployment choices.

http://www.xml.com/pub/a/2003/12/17/dive.html:  "most web hosting  
providers don't turn on digest authentication (it requires an Apache  
module that is not on by default). Even if Bob's ISP had  
mod_digest_auth enabled, it wouldn't help Bob, because he has  
no .htaccess rights to configure his passwords; and, because of the  
way Apache works, CGIs can't implement digest authentication on their  
own. (Scripts handled by an Apache module, such as mod_php or  
mod_perl, can implement HTTP digest authentication. But external CGI  
processes can't because Apache does not pass the necessary headers  
along to the CGI script. But that still doesn't help Bob because his  
hosting provider doesn't offer PHP; and, even if they did, his weblog  
software doesn't run on PHP anyway.)"

http://blogs.msdn.com/drnick/archive/2006/05/12/understanding-http- 
authentication.aspx: "Digest authentication requires the use of  
Windows domain accounts.  The digest realm indicates the Windows  
domain name.  Due to this, a server running on an operating system  
that does not support Windows domains, such as Windows XP Home,  
cannot be used with Digest authentication.  When the client is  
running on an operating system that does not support Windows domains,  
a domain account must be explicitly specified during the  
authentication."

http://www.imc.org/atom-syntax/mail-archive/msg06103.html: " (1) Some  
web-servers remove the WWW-Authenticate header before passing it to a  
CGI program."

http://www.imc.org/atom-protocol/mail-archive/msg00836.html: "do all  
digest and WSSE implementations require server-side access to
clear-text passwords or is that just a weakness of the  
implementations I looked at?"

http://www.imc.org/atom-syntax/mail-archive/msg00139.html:  "I'm a  
small site, security is very much a concern and my host does not  
provide Digest and won't do so."

Thus it's hard for an administrator to use today's Web server  
software and Digest authentication, and still have an application- 
specific database of usernames/passwords.  The server software gets  
in the way -- it may even be easier for the Web App developer to  
implement something non-standard like WSSE than have to rely on built- 
in functions.

i18n is also a problem: http://www.agileprogrammer.com/eightytwenty/ 
archive/2006/05/04/14280.aspx

And for humour on the situation: http://bitworking.org/news/ 
Problems_with_HTTP_Authentication_Interop

Lisa