| David Wang 2007-01-29, 7:22 pm |
| Well, if your concern is to not lose user password, Digest can be
sufficient for that since it never passes the password over the
network in any form.
However, Digest is still weak against attacks like man-in-the-middle,
replay, snooping, delegation, spoofing. In particular, a snooping/
replay attack can be just as damaging.
It is unfortunate that the more secure authentication protocols
require more investment in security setup/infrastructure to utilize,
but that is the cost of establishing a chain of trust for machines,
which humans implicitly create on their own.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 29, 7:53 am, K12-Jammer <K12Jam...@discussions.microsoft.com>
wrote:[vbcol=seagreen]
> David,
>
> Thank you for your summary statement and for your reference to the w3.org
> document which delineates the weaknesses of Digest mode. I will surely read
> that document.
>
> I think that your summary statement, however, will dictate that I not use
> Digest mode.
>
> In my situation, the actual secure documents are much less valuable than
> password integrity is. It won't ruin my organization if an outsider sees one
> of these "secure" documents but I don't want them to be able to get my users
> passwords.
>
> Thanks for being so knowledgeable on this stuff.
> --
> Jim R
>
>
>
> "David Wang" wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|