Carl-Uno asked me who has implemented Digest Authentication, so I did a little
looking around. While I was at it, I looked for HTTP implementations of TLS.
There's a nice article on HTTP authentication at:
http://msdn.microsoft.com/workshop/networking/wininet/overview/authentication.as
p
It explains some of the benefits of Digest Authentication. It also says that
Digest authentication support was introduced in Internet Explorer 5.
http://www.microsoft.com/NTServer/nts/exec/compares/NTSandNWcomp/7_ScenarioWeb.a
sp says that Windows 2000 implements digest authentication.
http://msdn.microsoft.com/standards/top150/security.htm claims that Internet
Explorer 5.0, Windows 2000 and Windows CE all support TLS, too.
As for other browsers and servers, you can gather some information from HTTP
implementation reports at http://www.w3.org/Protocols/HTTP/Forum/Reports/. The
implementation reports are a snapshot from a while ago, though, and not everyone
with products reported.
But the reports claim that Apache (http://www.apache.org), CL-HTTP
http://wilson.ai.mit.edu/cl-http/cl-http.html), and WN
(http://hopf.math.nwu.edu/)
all implement Digest Authentication, although they didn't do much testing.
If you're stuck with an older server that doesn't implement Digest
Authentication, there are some hints on how to add it:
http://msdn.microsoft.com/library/periodic/period98/html/takeiiscustomizationton
extlevelbywritingisapifiltersscriptinterpreters.htm
explains how you could add Digest Authentication to Microsoft's IIS, for
example.
The Java Web Server 1.1
(http://www.javasoft.com/marketing/collateral/jws_ds.html) claims to implement
digest authentication.
In summary, it looks like there is lots of official support for Digest
Authentication, although some of these products are recent (IE 5 was just
released) or only in beta (Windows 2000). However, if you're sufficiently
motivated, I'm sure those who are interested can get their hands on the
implementations to try them out.
Larry