- From: Preston L. Bannister <preston@home.com>
- Date: Wed, 3 Jan 2001 08:55:41 -0800
- To: "Geoffrey M. Clemm" <geoffrey.clemm@rational.com>, <ietf-dav-versioning@w3.org>
- Cc: <ckaler@microsoft.com>, <yarongo@crossgrain.com>
> In earlier threads, the response has been that a server writer can > just tack on a GUID to the version URL to guarantee it isn't re-used > (RFC-2518 describes a variety of mechanisms for cheaply creating > GUID's). [snip] > Note that several of the techniques described in 2518, don't > "guarantee" uniqueness, but rather make it extremely unlikely that > there will be a collision ... I believe that "extremely unlikely" is > sufficient for satisfying the "MUST NOT". As an aside, one good source of "randomness" not mentioned in this technique is the MAC address on any or all network adaptors in the machine (the same machine address currently used in UUIDs). If the MAC address is to be hashed with even slightly random values (say startup and current times) you have pretty well obliterated the security concerns. Using the MAC address(es) goes a long way to insure the uniqueness of the input to the secure hash function. Not that I'm a member of this working group, but "MUST NOT" with a vastly improbable chance of collision seems closer to the mark. -- Preston L. Bannister preston@home.com http://members.home.com/preston/
Received on Wednesday, 3 January 2001 11:55:44 UTC