IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Paul Leach paulle at microsoft.com
Mon Apr 12 12:44:26 EDT 1999



> -----Original Message-----
> From: Michael Sweet [mailto:mike at easysw.com]
> Sent: Saturday, April 10, 1999 5:01 PM
> To: Larry Masinter
> Cc: Paul Moore; IETF-IPP; Paul Leach
> Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
> 
> 
> Larry Masinter wrote:
> > ...
> > No, RFC 2069 Digest is more secure than Basic because it doesn't
> > require sending the password in the clear.
> 
> Without auth-int you can spoof authorization with varying degrees of
> ease.  Sure, you won't get the original password, but without auth-int
> you don't need it!

That's a non-sequiter. It does not contradict Larry's statement at all.

Digest with a strong password is proof against passive attacks (such as
sniffing). Basic isn't.

Paul



More information about the Ipp mailing list