>Digest, per se, doesn't require clear text password storage.
>Squids supplied helper uses cleartext, but that is simply -a-
>implementation. Squid itself never needs the cleartext password.
Technically, yes - digest auth does not require the password to be
stored in cleartext. However, as you pointed out, the Squid-supplied
helper does, and I know of no other digest helper for Squid.
Furthermore, since knowledge of the clear text password is needed
to verify the digest sent, the password would need to be stored either
in clear text or reversible encryption - unless I completely misunderstand
how digest auth works (which is also quite possible).
Digest could be improved upon by using a hash of the password instead
of the password itself. Of course, there's something of a chicken-
and-egg problem here: proxy and web servers won't support it until
browsers support it, and browsers won't support it until proxy and
web servers support it. Additionally, since digest auth is an RFC,
someone would have to draft another RFC. So even if it is a great
idea, it can't be implemented quickly (if at all).
Adam
Received on Thu Jul 10 2003 - 21:29:09 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST