IPP Mail Archive: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Michael Sweet (mike@easysw.com)
Tue, 13 Apr 1999 13:40:07 -0400

Paul Leach wrote:
> ...
> True, but so does the client. It can (and should be able to be)
> configured with the lowest level of security it will accept, and if
> the server only offers less secure protocols than that, it refuses
> to connect.

This isn't really a negotiation, tho. The client can't change what
the server wants, and visa-versa...

> BTW: there is advantage to running Digest (instead of Basic), even
> with the weakest options, inside of TLS. Basic exposes your password
> to the server, whereas Digest server can store hashes of passwords
> that are realm specific, and so use of the same password in multiple
> realms isn't as big an exposure.
> ...

I agree that there are a lot of benefits with using Digest, but to
interface to an existing non-MD5-based authorization system you need
to use Basic so you have the original password text to work with.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products                  mike@easysw.com
Printing Software for UNIX                       http://www.easysw.com