W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Some comments on Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Tue, 20 Jan 1998 12:54:00 -0800
Message-Id: <5CEA8663F24DD111A96100805FFE6587203989@red-msg-51.dns.microsoft.com>
To: Dave Kristol <dmk@bell-labs.com>, 'John Franks' <john@math.nwu.edu>
Cc: Yaron Goland <yarong@microsoft.com>, http-wg@cuckoo.hpl.hp.com


> ----------
> From: 	John Franks[SMTP:john@math.nwu.edu]
> Sent: 	Monday, January 19, 1998 10:41 AM
> To: 	Dave Kristol
> Cc: 	Yaron Goland; http-wg@cuckoo.hpl.hp.com
> Subject: 	Re: Some comments on Digest Auth
> 
<snip>

> It is also a good idea to embed the requestor's IP address.
> 
This will be broken when there is a proxy farm, each with its own IP
address, and where the client uses chooses the particular proxy based on the
URL.

> One thing that I would like to do, but which would conflict with a
> pre-delivered list of nonces, is to embed the (strong) ETag of a
> document in the nonce.  This is simpler than timestamping and
> guarantees that a replay can only retrieve exactly the same document
> (which a MITM has presumably already seen when he captured the nonce.)
> 
Both would be good -- otherwise you can retreive the same document
indefinitely into the future.

Paul
Received on Wednesday, 21 January 1998 05:07:23 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:11 EDT