I have not read any of the patents on this for reasons that will be familiar.
If I was going to revisit Digest I would at the very least include an ephemeral D-H key into the mix so that the digest value was at a minimum secure against a brute force attack by a man in the middle. Has every avenue to that end been encumbered? > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Mark Nottingham > Sent: Monday, June 26, 2006 3:58 PM > To: EKR > Cc: [email protected]; [EMAIL PROTECTED] > Subject: Re: [Ietf-http-auth] Notes on Web authentication enhancements > > You're right (unless I missed something else); > > [2617] > > digest-uri = "uri" "=" digest-uri-value > > digest-uri-value = request-uri ; As specified by HTTP/1.1 > > [2616] > > Request-URI = "*" | absoluteURI | abs_path | authority > ^^^^^^^^ A pity. > > > On 2006/06/26, at 12:00 PM, Eric Rescorla wrote: > > > Mark Nottingham <[EMAIL PROTECTED]> writes: > > > >> On 2006/06/23, at 3:29 PM, Eric Rescorla wrote: > >>> Part of the problem is that the user and the software have a > >>> different view of the RP's identity. The software knows that > >>> C1tibank and Citibank are different, but the user does not. > >> > >> Fair enough. > >> > >> Would it be correct to say that HTTP Digest Auth has this property > >> alreadly (because A2 includes the digest-uri-value)? There > are other > >> attacks that can be made against Digest, of course (e.g., > dictionary > >> against weak passwords), but it's interesting to think of it as > >> having anti-phishing properties. > > > > I'm not 100% sure. IIRC, the digest-uri-value is only the path > > portion, i.e., > > > > /example/example.html > > > > rather than > > > > http://www.example.com/example/example.html > > > > But I could totally be wrong on this. > > > > > > -Ekr > > > > > > -- > Mark Nottingham > [EMAIL PROTECTED] > > > > _______________________________________________ > Ietf-http-auth mailing list > [EMAIL PROTECTED] > http://lists.osafoundation.org/cgi-bin/mailman/listinfo/ietf-http-auth > > _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
