On Wed, Oct 29, 2008 at 10:10:38AM +0000, Dave Howorth wrote: > Steven Blanchard wrote: > > Cons of HTTP Authentication > ... > > - The challenge/response design of HTTP authentication--sending a 401 > > Authorization Required when accessing a secured URL--would leak > > sensitive information. (can be mitigated) > ... > > - Basic authentication transmits the user name and password in the clear > > for every request > > I think there is an issue that would need to be checked with lawyers, at > least for people who are UK-government sponsored and are proposing to > implement authentication for the first time. > > Those affected will know that since the well-publicised leaks of private > data by public organizations in the UK, research councils have [been > made to] increased supervision of the data protection laws, with > requirements for encryption of disks etc. > > It's my understanding (though I am not a lawyer :) that storing a > username together with a password consitutes 'private data' and that any > database or other mechanism used to store that information would > therefore need to be registered with your organisation and be audited. I > also understand that ignoring the requirement is a sacking offence, at > least where I work.
Most password authentication software does not store plain text passwords, only checksums (e.g. MD5 or SHA1) of passwords. This is the case on modern UNIX and UNIX-like operating systems (for user login authentication) as well as for most software systems supporting password authentication, for example Apache (see manual for htpasswd). Regards, Andreas > > This seems like a very powerful incentive to avoid designing any system > that requires local storage of passwords, especially since the content > being served does not itself usually contain any 'private data' that > needs protecting. So it seems to me that a better and ultimately simpler > solution is one that offloads all personal passwords to dedicated > servers designed for the purpose and implemented and supported by IT > security teams. > > So I'd suggest checking the legal framework before making any technical > decisions on authentication schemes. > > Cheers, Dave > _______________________________________________ > DAS mailing list > [email protected] > http://lists.open-bio.org/mailman/listinfo/das > -- Andreas Kähäri, Ensembl Software Developer European Bioinformatics Institute (EMBL-EBI) Wellcome Trust Genome Campus, Hinxton Cambridge CB10 1SD, United Kingdom _______________________________________________ DAS mailing list [email protected] http://lists.open-bio.org/mailman/listinfo/das
