[dix] Federated Digest Auth

["Hallam-Baker, Phillip" <pbaker at verisign.com>]

> From: Dick Hardt [mailto:dick at sxip.com] 

> There was an IETF BOF on Beyond Basic Auth that I had hoped 
> would develop some richer Auth mechanisms within HTTP that 
> could work with DIX.

How about Digest, it is supported inpractically every browser in use, it
is secure against man in the middle attack, it is a standard and a MUST
for HTTP/1.1

It takes practically no work to federate Digest and there is prior art
on federation in the original proposal.


If you use use the email address as the username, a common realm and SRV
records as a discovery mechanism you can implement an interoperable
federated auth scheme from existing code in a few hours.

The scheme can be made even more compact and avoid leaking the URI being
viewed by passing the HA2 value along with the federated auth request.

Its simple, secure and built on existing standards. When I discussed
this with Dan Connoly he had been thinking on very similar lines.

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix