IPP Mail Archive: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Paul Leach (paulle@microsoft.com)
Tue, 13 Apr 1999 11:17:30 -0700

> -----Original Message-----
> From: Michael Sweet [mailto:mike@easysw.com]
> Sent: Tuesday, April 13, 1999 10:40 AM
> To: Paul Leach
> Cc: Larry Masinter; Scott Lawrence; IETF-IPP
> Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> Paul Leach wrote:
> > ...
> > True, but so does the client. It can (and should be able to be)
> > configured with the lowest level of security it will accept, and if
> > the server only offers less secure protocols than that, it refuses
> > to connect.
>
> This isn't really a negotiation, tho. The client can't change what
> the server wants, and visa-versa...

I agree. I didn't mean to imply it was. I was just carrying your argument
about the server to the client side as well.

>
> > BTW: there is advantage to running Digest (instead of Basic), even
> > with the weakest options, inside of TLS. Basic exposes your password
> > to the server, whereas Digest server can store hashes of passwords
> > that are realm specific, and so use of the same password in multiple
> > realms isn't as big an exposure.
> > ...
>
> I agree that there are a lot of benefits with using Digest, but to
> interface to an existing non-MD5-based authorization system you need
> to use Basic so you have the original password text to work with.

Sorry, I'm not sure I understand that.

If it means that there needs to be a way to set the password originally, and
to change the password later, neither of which are specified by the Digest
protocol, you're right. I don't think those considerations means that one
requires the use of Basic auth, though -- it has the exact same issues.

Paul