Fwd: draft-sayre-http-hmac-digest-00

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: draft-sayre-http-hmac-digest-00

Rob Sayre-2

---------- Forwarded message ----------
From: Robert Sayre <[hidden email]>
Date: Mar 3, 2006 1:33 AM
Subject: draft-sayre-http-hmac-digest-00
To: [hidden email]

All,

I recently encountered a situation where I wanted to use Digest
authentication, but only had already-hashed passwords to work with.
So, I thought I would try fixing Digest authentication. I've read that
many people want to do this, but I haven't seen any action in this
area.

The scheme presented in the draft below allows the client to include
request header values in the digest, for message integrity. There is
no provision for entity integrity checking. However, the client could
include a Content-MD5 header, and the server would only have to verify
that value after the client had passed the challenge. The scheme also
omits server nonces, and forces clients to send creation timestamps
instead.

The draft includes working client and server Python scripts.

http://franklinmint.fm/2006/03/03/draft-sayre-http-hmac-digest-00.html
http://franklinmint.fm/2006/03/03/draft-sayre-http-hmac-digest-00.txt

It has all the problems you would expect with shared-secret
authentication. But, on the plus side, it works with drop-in PHP
scripts like Wordpress, and I hope it's better than basic.

--

Robert Sayre