> -----Original Message-----
> From: Michael Sweet [mailto:mike at easysw.com]
> Sent: Tuesday, April 13, 1999 10:40 AM
> To: Paul Leach
> Cc: Larry Masinter; Scott Lawrence; IETF-IPP
> Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>>> Paul Leach wrote:
> > ...
> > True, but so does the client. It can (and should be able to be)
> > configured with the lowest level of security it will accept, and if
> > the server only offers less secure protocols than that, it refuses
> > to connect.
>> This isn't really a negotiation, tho. The client can't change what
> the server wants, and visa-versa...
I agree. I didn't mean to imply it was. I was just carrying your argument
about the server to the client side as well.
>> > BTW: there is advantage to running Digest (instead of Basic), even
> > with the weakest options, inside of TLS. Basic exposes your password
> > to the server, whereas Digest server can store hashes of passwords
> > that are realm specific, and so use of the same password in multiple
> > realms isn't as big an exposure.
> > ...
>> I agree that there are a lot of benefits with using Digest, but to
> interface to an existing non-MD5-based authorization system you need
> to use Basic so you have the original password text to work with.
Sorry, I'm not sure I understand that.
If it means that there needs to be a way to set the password originally, and
to change the password later, neither of which are specified by the Digest
protocol, you're right. I don't think those considerations means that one
requires the use of Basic auth, though -- it has the exact same issues.
Paul