Would you mind providing some example or proof for your statement that
Digest isn't the most secure mechanism? Can you elaborate more on
"password constraints" ? Why do the "security minded" folks you talk
to think these requirements are a non-started for digest?
Prior to Windows 2003, IIRC, digest authentication required the web server
to run on the same machine as the domain controller. I don't know how you
feel about this, but, in my opinion, IIS' distinguished history of security
makes this unappealing to me.
My comment was geared more at Windows 2003 though. I simply meant that to
do digest authentication the user's account in AD has to be created with
the option that says "the password must be stored using reversible encryption".
Those security minded people feel this is not a good idea. In my opinion,
Keith is a respectable individual in the security field and he describes
the issues a bit here:
http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/
What does
"non-started" mean anyway?
It's a typo that should have read "non-starter", meaning that since the password
must be decryptable then it's not even an option to consider.
You may be right but just stating something without giving some proof
doesn't mean too much, it almost sounds like you are stating your own
personal opinion, and if thats true then you should start your
sentence with "In my opinion,...."
In my opinion, it should be obvious that no one should blindly accept anonymous
advice from people on newsgroups without doing your own research and due
diligence.
-Brock
DevelopMentor
http://staff.develop.com/ballen