[Cryptography] Basic auth a bit too basic

[Phillip Hallam-Baker]

On Mon, Feb 8, 2016 at 4:21 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> John Levine <johnl at iecc.com> writes:
>
>>It would be technically straightforward for browsers to have a logout button
>>that forgets the auth credentials for the current page, or to invent an HTML
>>meta tag that tells browsers to forget auth credentials for the current page's
>>domain (give or take the same cross-domain issues with cookies.)
>
> That doesn't really help though because it doesn't provide a means for the
> site and the client to agree to end the authenticated session.  That's what a
> lot of the hacks on Stackexchange try and do, but they remain just... hacks.
>
> Peter.

Digest is the way it is because it was invented by two people who
didn't talk to anyone else before throwing the feature into the spec.

At the time, all IETF specs used password in the clear for
authentication except for Kerberos.

I proposed Digest 24 hours after I discovered what they had done. But
it was too late. Basic had been out for a week by then and the people
who had written it were happy that it solved their needs which
included being able to authenticate against the existing UNIX password
file.

At the time people were only just getting their minds round the idea
that a world readable password file was a stupid idea. These days of
course, everyone knows about shadow password files. But there was a
time when they didn't exist and the same sort of people who tell you
how clever UNIX is because shadow passwords would tell you how clever
it is to make the password file world readable.