W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: Scott Lawrence <lawrence@agranat.com>
Date: Fri, 19 Dec 1997 10:23:46 -0500 (EST)
To: John Franks <john@math.nwu.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, jg@w3.org, paulle@microsoft.com
Message-Id: <Pine.LNX.3.96.971219101948.23855E-100000@alice.agranat.com>

> John Franks:

> It is the client who must be concerned about reused nonces to avoid
> a replay attack.  To avoid a replay attack the client would have to
> keep a data base of all previous nonces and make sure they are not 
> reused.

  No - it only needs to keep the nonce it used for the outstanding
  request; if that does not produce the correct digest then it is not
  valid even if it would have been valid for some earlier request.  

> Yes a proxy might change the status code.  That is why it needs to be
> replicated in the Authentication-info header.  Hashing the status code
> is what John Mallery was talking about when he said with a few minor
> changes digest could become really useful.  :)

  Ok; that makes sense, but I don't think that we need the dates - they
  are not essential to detecting response replays and they are many more
  bytes.
Received on Monday, 5 January 1998 06:59:26 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT