W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Some comments on Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Tue, 20 Jan 1998 18:33:30 -0800
Message-Id: <5CEA8663F24DD111A96100805FFE6587031E38B2@red-msg-51.dns.microsoft.com>
To: 'John Franks' <john@math.nwu.edu>
Cc: Dave Kristol <dmk@bell-labs.com>, Yaron Goland <yarong@microsoft.com>, http-wg@cuckoo.hpl.hp.com


> ----------
> From: 	John Franks[SMTP:john@math.nwu.edu]
> Sent: 	Tuesday, January 20, 1998 6:23 PM
> To: 	Paul Leach
> Cc: 	Dave Kristol; Yaron Goland; http-wg@cuckoo.hpl.hp.com
> Subject: 	RE: Some comments on Digest Auth
> 
> On Tue, 20 Jan 1998, Paul Leach wrote:
> 
> > > 
> > Actually, my comment (that both Etag and timestamp are good) was wrong.
> You
> > can't use an Etag in the nonce, because nonces aren't per-resource. 
> 
> They certainly can be.  This is purely an implementation decision.
> 
OK, it is, but not a practical one. It would require that every initial
request for a URL return 401. That will essentially double the number of
round trips.

> Some existing implementations work this way.  Nothing in the spec
> prohibits this and I doubt if that will change.
> 
> Incidentally, whether an implementation is stateful (e.g. remembers all
> nonces used) or stateless is also an implementation decision.  I very
> much doubt that any consensus could be reached on a specification change
> which either requires the server to be stateful or prohibits it from 
> being so.
> 
As long as the stateless one can actually be made more than trivially more
secure than Basic. I think we might be well on the way, but let's not forget
the priorities.

Paul
Received on Wednesday, 21 January 1998 05:07:12 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT