W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: Scott Lawrence <lawrence@agranat.com>
Date: Tue, 06 Jan 1998 14:08:19 -0500
Message-Id: <199801061908.OAA08217@devnix.agranat.com>
To: Ben Laurie <ben@algroup.co.uk>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>>>>> "BL" == Ben Laurie <ben@algroup.co.uk> writes:

BL> The Apache implementation is already marked as not suitable for serious
BL> use, because of the server's vulnerability to a replay. I'm not sure how
BL> to avoid this, except, perhaps, by tying the nonce to the (rough) time
BL> and the URL. Of course, a client nonce doesn't help with this at all,

  I don't believe that I understand this comment - if the server
  always generates an unique nonce how is it vulnerable to a replay?
  Granted, if it doesn't then it has a problem...

BL> Actually, if we could insist that the digest authed request was in the
BL> same keptalive session as the original request, that'd help a lot...

  TCP connections can be hijacked - it doesn't help.

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Tuesday, 6 January 1998 11:26:20 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT