List Info

Thread: Notes on Web authentication enhancements
Notes on Web authentication enhancements
user name
 2006-06-26 21:02:58 
I have not read any of the patents on this for reasons that
will be familiar.

If I was going to revisit Digest I would at the very least
include an ephemeral D-H key into the mix so that the digest
value was at a minimum secure against a brute force attack
by a man in the middle.

Has every avenue to that end been encumbered?

> -----Original Message-----
> From: ietf-http-auth-bouncesosafoundation.org 
> [mailto:ietf-http-auth-bouncesosafoundation.org] On
Behalf 
> Of Mark Nottingham
> Sent: Monday, June 26, 2006 3:58 PM
> To: EKR
> Cc: dixietf.org; ietf-http-authlists.osafoundation.org
> Subject: Re: [Ietf-http-auth] Notes on Web
authentication enhancements
> 
> You're right (unless I missed something else);
> 
> [2617]
> >        digest-uri       = "uri"
"=" digest-uri-value
> >        digest-uri-value = request-uri   ; As
specified by HTTP/1.1
> 
> [2616]
> > Request-URI    = "*" | absoluteURI |
abs_path | authority
>                                        ^^^^^^^^ A pity.
> 						
> 
> On 2006/06/26, at 12:00 PM, Eric Rescorla wrote:
> 
> > Mark Nottingham <mnotyahoo-inc.com> writes:
> >
> >> On 2006/06/23, at 3:29 PM, Eric Rescorla
wrote:
> >>> Part of the problem is that the user and
the software have a 
> >>> different view of the RP's identity. The
software knows that 
> >>> C1tibank and Citibank are different, but
the user does not.
> >>
> >> Fair enough.
> >>
> >> Would it be correct to say that HTTP Digest
Auth has this property 
> >> alreadly (because A2 includes the
digest-uri-value)? There 
> are other 
> >> attacks that can be made against Digest, of
course (e.g., 
> dictionary 
> >> against weak passwords), but it's interesting
to think of it as 
> >> having anti-phishing properties.
> >
> > I'm not 100% sure. IIRC, the digest-uri-value is
only the path 
> > portion, i.e.,
> >
> >      /example/example.html
> >
> > rather than
> >
> >      http://ww
w.example.com/example/example.html
> >
> > But I could totally be wrong on this.
> >
> >
> > -Ekr
> >
> >
> 
> --
> Mark Nottingham
> mnotyahoo-inc.com
> 
> 
> 
> _______________________________________________
> Ietf-http-auth mailing list
> Ietf-http-authosafoundation.org
> http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
> 
> 
_______________________________________________
Ietf-http-auth mailing list
Ietf-http-authosafoundation.org
http://lists.osafoundation.org/cgi-bin/mai
lman/listinfo/ietf-http-auth
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )