Talk:Digest access authentication

From Wikipedia, the free encyclopedia

Contents 1 MD5 security? 2 Strike This Sentence 3 Biased... 4 Missing reference... 5 Browser Implementation Update

[edit] MD5 security?

The article talks about "MD5 cryptographic hashing". MD5 has got nothing to do with cryptography. It simply converts a string into a hash value (fingerprint).

It's like putting a meal in a blender: afterwards, it's hard to determine what the meal was. But it's easy to say if it was the same meal as another blended one. Nothing magic, nothing secure, nothing cryptographic.

--Jms 17:58, 30 November 2007 (UTC)

[edit] Strike This Sentence

"RFC 2617 assumes that the scheme is understood and fails to complete the example," I don't see the relevance of that statement to this article. Miqrogroove 08:57, 24 July 2007 (UTC)

Taking the example in the RFC by itself, it is quite difficult to see how you can get from the inputs to the outputs – at least not without actually writing the code to do it. This Wikipedia article tries to make the example as clear as possible, as a better guide to implementation (or understanding an implementation). Perhaps the sentence needs rewording, but the point is that the article is intended to be more useful than the original specification in this respect. Thanks.  — Lee J Haywood 18:59, 24 July 2007 (UTC)

The encyclopaedia's intentions are relevant to the article? Miqrogroove 01:51, 4 August 2007 (UTC)

Erm, well they're my intentions, not the encyclopaedia's. I think you mean that the sentence is very critical and implies an opinion, which really is irrelevant. The sentence was just an introduction to the second section of the example, but I've seen a way to improve it. I've reworded it now. (: Thanks!  — Lee J Haywood 07:32, 4 August 2007 (UTC)

[edit] Biased...

One of the first sentences is strange... "This method builds upon (and obsoletes) the Basic access authentication, allowing user identity to be established without having to send a password in plaintext over the network."

• "and obsoletes" is clearly biased and unsupported by any sources.
• "This method builds upon"... well... HTTP Digest Authentication most likely builds upon previous Digest Authentication schemes.

The article is overly positive towards digest authentication, while completely failing to discuss why Digest Authentication schemes have not been successful - while Form based authentication and HTTP Basic authentication has a much higher adoption/acceptance rate.

The article is missing a discussion on the "3.5 Storing passwords" section of Digest RFC, and more importantly the article fails to discuss that the password also has to be known to the server in order to perform "2.2 Digest Operation". This is key to realizing why Digest Authentication protocols are not well suited for i.e. enterprise authentication solutions (where the authentication server is different from the http server, i.e. an LDAP repository, and HA1/cleartext password is not available to http server).

--Blaufish 13:09, 26 September 2007 (UTC)

OK! Some hours later, I think I have resolved bias the problem! I made a minor change of the sentence, and added sections to discuss both advantages and disadvantages of Digest access authentication. I think this produces a richer and more complete understanding of the topic to the reader.

--Blaufish 20:10, 26 September 2007 (UTC)

[edit] Missing reference...

I agree it is not vulnerable to the most discussed class of MD5 collision attacks -- since they generate a collision from a know (plaintext,hash) pair -- but we should probably have a suitable reference here rather than just claiming it to be so. --Blaufish 13:18, 26 September 2007 (UTC)

I've changed the wording slightly, emphasizing that no MD5 attack has been shown to be a threat to Digest authentication. Also added references to known MD5 attacks. --Blaufish 21:25, 29 September 2007 (UTC)

[edit] Browser Implementation Update

After tests with Microsoft Internet Explorer (MSIE) 6 on 2000 and MSIE 7 on XP and Vista I'm not sure if the limitations mentioned are still present.

Therefore I suggest to update 'In the past ...' or to remove the 'Browser Implementation' section. —Preceding unsigned comment added by Lmuelle (talk • contribs) 17:28, 4 December 2007 (UTC)