Re: Minimal Authorization

Stephen D Crocker (crocker@tis.com)
Sat, 13 Aug 1994 02:15:54 +0200

At the risk of sounding too much like an alarmist and a security
zealot, passwords in the clear are no longer an acceptable risk. At
the very least, a challenge-response system is necessary.

One useful scheme is S/Key: it's free, easily avaiable and fits into
the existing paradigms.

Much stronger schemes are also available, e.g. Kerberos, public key
systems, etc. However, you're asking for a lightweight security
scheme, and that's not unreasonable, but passwords in the clear are
simply not adequate for any purpose whatsoever unless the path between
the user and server is confidential. In the Internet, this is no
longer the case and will not be for the forseeable future.

This point has been identified as a critical issue in the security of
the Internet and highlighted in a recent Internet Architecture Board
workshop.

Steve Crocker
Past IETF Area Director for Security
Current IAB member

> Reply-To: miked@CERF.NET
> Sender: www-talk@www0.cern.ch
> From: miked@CERF.NET (Michael A. Dolan)
> To: Multiple recipients of list <www-talk@www0.cern.ch>
> Date: Fri, 12 Aug 1994 20:00:55 +0200
> Subject: Minimal Authorization
>
> Has there been any recent discussion in regard to a minimal authorization
> for HTTP ?
>
> SHEN and the other proposals that have come up recently are fine
> and serve a good purpose. However, I think there is a need for some
> minimal authorization, low-security mechanism for some applications.
>
> While I'm sure the security purists will object to passwords and HTTP
> objects sent in the clear, I think there are, in the near term, many
> applications that require security only "as good as what they're using now"
> (ie passwords and text sent in the clear). A good application of this
> was demonstrated by Mr. Freeman-Benson's paper in Geneva.
>
> Anyone here wish to comment on the appropriateness of such an implementation ?
> I am thinking of simply implementing the "Authorization" field "user" scheme
> as it is loosely proposed in the 11/93 HTTP spec and "implemented by AL Sep
> 1993".
>
> Ari - if you're listening - any comments or words of wisdom on your
> ACCESS_AUTH code ?
>
> Mike
> -----------------------------------------------
> Michael A. Dolan - <mailto:miked@cerfnet.com>
> TerraByte Technology (619) 445-9070, FAX -8864
>
>