OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ati

[ Lists Home | Date Index | Thread Index ]

I know about digest-auth.  Yes, it sends a hash (not encrypted password) 
rather than the plaintext.  But it sends it every time which they admit 
isn't terribly secure, it is subject to dictionary attacks (with new 
data every time the nonce expires), and it uses the deprecated MD-5 as 
opposed to SHA-1.  It also doesn't *seem* (in my quick test) to be 
supported by IE, which knocks out a large part of the net.  (Always a 
tip-off when folks use the phrase "supported by modern browsers," I've 
done it myself.:)

Good security requires state.  Bad security leaves your login passwords 
lying around. Using a cookie to maintain a timed-out login session seems 
the best way to do good and avoid bad. And since I don't believe that 
RFC 2109 violates web architecture, we'll just have to agree to disagree.

Happy new year.
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS