W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Some comments on Digest Auth

From: Ben Laurie <ben@algroup.co.uk>
Date: Tue, 20 Jan 1998 10:08:25 +0000
Message-Id: <34C47799.CCE31164@algroup.co.uk>
To: Yaron Goland <yarong@microsoft.com>
Cc: 'Dave Kristol' <dmk@bell-labs.com>, http-wg@cuckoo.hpl.hp.com
Yaron Goland wrote:
> ASSUMPTION: Avoiding replay attacks is important enough to most implementers
> that either the standard will require or implementers will voluntarily
> refuse to accept the same nonce twice.

As I mentioned in another message, requiring that nonces are only
accepted once makes HTTP stateful, and will be difficult to implement in
some servers. However, since some servers may want to (at least in some
modes) make this requirement, it would seem we need a mechanism to
support it. It seems to me that the list-of-nonces (unencumbered by any
ordering requirements) is a way to achieve this, which, so long as it is
optional, has no impact on servers and clients that do not wish to
implement it.

I should point out that a server that implements it is likely to have an
awful lot of nonces to track.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache
Received on Tuesday, 20 January 1998 02:12:34 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT