IETF Logo Mail Archive

[dix] Federated Digest Auth

"Hallam-Baker, Phillip" <pbaker@verisign.com> Tue, 28 February 2006 22:45 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FEDam-0000za-K0; Tue, 28 Feb 2006 17:45:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FEDak-0000yM-55 for dix@ietf.org; Tue, 28 Feb 2006 17:45:14 -0500
Received: from colibri.verisign.com ([65.205.251.74]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FEDai-0003cz-RU for dix@ietf.org; Tue, 28 Feb 2006 17:45:14 -0500
Received: from mou1wnexcn01.vcorp.ad.vrsn.com (mailer1.verisign.com [65.205.251.34]) by colibri.verisign.com (8.13.1/8.13.4) with ESMTP id k1SMjAMM024150 for <dix@ietf.org>; Tue, 28 Feb 2006 14:45:10 -0800
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by mou1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 28 Feb 2006 14:45:09 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 28 Feb 2006 14:45:09 -0800
Message-ID: <198A730C2044DE4A96749D13E167AD3792B235@MOU1WNEXMB04.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Federated Digest Auth
Thread-Index: AcY8sxX1/Tf6NNI9ReW8N9zZoFvRAQABOwYQ
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Digital Identity Exchange <dix@ietf.org>
X-OriginalArrivalTime: 28 Feb 2006 22:45:09.0945 (UTC) FILETIME=[A1007A90:01C63CB8]
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 93238566e09e6e262849b4f805833007
Subject: [dix] Federated Digest Auth
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

> From: Dick Hardt [mailto:dick@sxip.com] 

> There was an IETF BOF on Beyond Basic Auth that I had hoped 
> would develop some richer Auth mechanisms within HTTP that 
> could work with DIX.

How about Digest, it is supported inpractically every browser in use, it
is secure against man in the middle attack, it is a standard and a MUST
for HTTP/1.1

It takes practically no work to federate Digest and there is prior art
on federation in the original proposal.


If you use use the email address as the username, a common realm and SRV
records as a discovery mechanism you can implement an interoperable
federated auth scheme from existing code in a few hours.

The scheme can be made even more compact and avoid leaking the URI being
viewed by passing the HA2 value along with the federated auth request.

Its simple, secure and built on existing standards. When I discussed
this with Dan Connoly he had been thinking on very similar lines.

_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email