---------- Forwarded message ----------
From: Robert Sayre <[hidden email]>
Date: Mar 3, 2006 1:33 AM
To: [hidden email]
I recently encountered a situation where I wanted to use Digest
authentication, but only had already-hashed passwords to work with.
So, I thought I would try fixing Digest authentication. I've read that
many people want to do this, but I haven't seen any action in this
The scheme presented in the draft below allows the client to include
request header values in the digest, for message integrity. There is
no provision for entity integrity checking. However, the client could
include a Content-MD5 header, and the server would only have to verify
that value after the client had passed the challenge. The scheme also
omits server nonces, and forces clients to send creation timestamps
The draft includes working client and server Python scripts.