Re: Authentication API

[Simon Kelly]

Hi 

I have one comment regarding the Authentication API:

The requirement to implement Basic Auth or Digest Auth is unclear

Early on in the spec it says:

OpenRosa compliant servers MUST support at least one of either: Digest Authentication or Basic Authentication

But then later in the spec this line indicates that only Digest auth is acceptable:

device-and-server interactions for which the server requires authentication MUST implement the OpenRosa Restricted Digest authentication scheme...

These two statements seem to be in conflict. If the spec allows for only Basic Auth then I would be happy but if it forces Digest then its a '-1' for me.

Regards

Simon

[Mitch S]

I've updated that sentence with an or... .

The early discussions were to require just Digest Authentication, restricted to the subset defined in the standard -- both to exclude the least-secure legacy digest implementation and to standardize on a particular choice where there were several, so that J2ME implementors weren't burdened with implementing everything in the underlying RFC.
 
However, because that prevents state-of-the-art randomly-seeded SHA-1 hashing of passwords on the server side, the requirement was changed to support Basic or Digest Authentication.  The offending sentence had not been updated.

Mitch

--
Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

[Anton de Winter]

Thanks for starting the discussion, Simon, and thanks to Mitch for the updates.   

Given that the mHealth conf has started, I'd like to knock out the last two APIs:  Auth and FormList.    To that end, we should probably try to do as much of the discussion live.  So if you can throw your comments in the Skype Chat.  If you don't have access to the Skype chat though, no worries, I'll be monitoring the mailing list throughout the day and pipe mails through to the chat.

Cheers!

Anton

--
Anton de Winter

Dimagi Inc

(617) 692 0786

529 Main St

Charlestown, MA

02129