IPP Mail Archive: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Paul Leach (paulle@microsoft.com)
Mon, 12 Apr 1999 09:44:26 -0700

> -----Original Message-----
> From: Michael Sweet [mailto:mike@easysw.com]
> Sent: Saturday, April 10, 1999 5:01 PM
> To: Larry Masinter
> Cc: Paul Moore; IETF-IPP; Paul Leach
> Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> Larry Masinter wrote:
> > ...
> > No, RFC 2069 Digest is more secure than Basic because it doesn't
> > require sending the password in the clear.
>
> Without auth-int you can spoof authorization with varying degrees of
> ease. Sure, you won't get the original password, but without auth-int
> you don't need it!

That's a non-sequiter. It does not contradict Larry's statement at all.

Digest with a strong password is proof against passive attacks (such as
sniffing). Basic isn't.

Paul