It has been suggested by Phillip Hallam-Baker that the scheme should
not use MD5, due to a known weakness. He is suggesting the use of SHA
instead. We would like to generate discussion on this, so that we can
move quickly toward consensus.
The choice need not be a difficult one. This simple access
authentication scheme is not intended to be a solution to the entire
web-security need. What we seek is a simple but relatively secure
replacement for the Basic Access Authentication scheme in HTTP/1.0.
We chose MD5 primarily because code is widely available, in the belief
that it was strong enough for our target usage. However, if there is
consensus that SHA would be an all-around better choice, we will revise
our proposal.
It is our intention to make source code for our scheme available as we
can do so. Some software developers have already expressed enthusiasm
for helping with prototype implementations of the scheme.
The current draft of our proposal is located at:
http://www.spyglass.com/techreport/simple_aa.txt
Please send comments to the http-wg mailing list.
--Eric W. Sink [email protected] Jeffery L. Hostetler [email protected] Spyglass, Inc.