Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Michael Sweet (mike@easysw.com)
Mon, 12 Apr 1999 13:41:38 -0400

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Hugo Parra: "RE: IPP> Re: PRO - Issue 32: Use of Basic &"
• Previous message: Michael Sweet: "Re: IPP> Re: PRO - Issue 32: Use of Basic & DigestAuthentication"

Paul Leach wrote:
> ...
> That's a non-sequiter. It does not contradict Larry's statement at
> all.

No, but his statement implied that Digest is immune from passive
attacks, which for many/most of the current implementations it is NOT.

> Digest with a strong password is proof against passive attacks (such
> as sniffing). Basic isn't.

It has nothing to do with the "strength" of the password (what does
that even mean???), but it has everything to do with what level of
protection a server implementation provides, basically how often the
nonce value is changed and whether or not the server does message
body authentication.

The Apache Digest authentication module, for example, seems to accept
any incoming nonce value for authorization.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products                  mike@easysw.com
Printing Software for UNIX                       http://www.easysw.com

• Next message: Hugo Parra: "RE: IPP> Re: PRO - Issue 32: Use of Basic &"
• Previous message: Michael Sweet: "Re: IPP> Re: PRO - Issue 32: Use of Basic & DigestAuthentication"

Comments are owned by the poster. All other material is Copyright © 2001-2024 The Printer Working Group. All rights reserved. IPP Everywhere, the IPP Everywhere logo, and the PWG logo are trademarks of the IEEE-ISTO.
About the PWG · Privacy Policy · PWG Webmaster