W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Some comments on Digest Auth

From: John Franks <john@math.nwu.edu>
Date: Tue, 20 Jan 1998 17:25:06 -0600 (CST)
To: Paul Leach <paulle@microsoft.com>
Cc: Dave Kristol <dmk@bell-labs.com>, Yaron Goland <yarong@microsoft.com>, http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980120171808.11695A-100000@hopf.math.nwu.edu>
On Tue, 20 Jan 1998, Paul Leach wrote:

> 
> > From: 	John Franks[SMTP:john@math.nwu.edu]
> 
> > It is also a good idea to embed the requestor's IP address.
> > 

> This will be broken when there is a proxy farm, each with its own IP
> address, and where the client chooses the particular proxy based on the
> URL.
> 

If the client chooses the proxy based on URL it will work because the
URL requested without credentials (which elicits the nonce) will be
the same as the URL requested with credentials.  If the first request
without credentials and the second with credentials are from different
proxies, then you are right it will break.


> > One thing that I would like to do, but which would conflict with a
> > pre-delivered list of nonces, is to embed the (strong) ETag of a
> > document in the nonce.  This is simpler than timestamping and
> > guarantees that a replay can only retrieve exactly the same document
> > (which a MITM has presumably already seen when he captured the nonce.)
> > 
> Both would be good -- otherwise you can retreive the same document
> indefinitely into the future.
> 

You could only receive *exactly* the same document indefinitely into
the future as any update of the document changes the ETag.  I don't
see repeatedly obtaining exactly the same document as a problem with
idempotent methods like GET.  Of course, PUT and POST are a different
matter, but I don't think they have ETags.

John Franks
john@math.nwu.edu
Received on Tuesday, 20 January 1998 15:27:14 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT