Re: naive authentication scheme for ra_svn

On Sat, Sep 13, 2003 at 06:40:04PM -0400, Greg Hudson wrote:
> I believe you're a little confused.

You are right :-)
I had never looked at the HTTP RFC myself, but assumed that the digest
method was flawed after reading some documentation about mod_auth_digest
in the distant past. I had read about APOP authentication a long time ago
after seeing the cucipop output from crosswinds.net's POP server, back in
the days.

> HTTP digest auth is not flawed in this manner; it has similar security
> properties to APOP authentication. Check out RFC 2617 if you have to.
>
> CRAM-MD5 is considered inferior to DIGEST-MD5 in the SASL world, mostly
> because DIGEST-MD5 can provide a security layer instead of just
> authentication at the beginning of the connection.
>
> A full-blown DIGEST-MD5 implementation would be a significant amount of
> code; it would probably be better to use a SASL library at that point.

I still have to read about DIGEST-MD5 in detail. I had suggested
CRAM/APOP as compared to plain password digests.

Thanks :-)

-- 
Mukund
The very powerful and the very stupid have one thing in common.  Instead of
altering their views to fit the facts, they alter the facts to fit their
views ... which can be very uncomfortable if you happen to be one of the
facts that needs altering.
                -- Doctor Who, "Face of Evil"
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org