W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: Some comments on Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 21 Jan 1998 10:14:49 -0800
Message-Id: <5CEA8663F24DD111A96100805FFE6587031E38BB@red-msg-51.dns.microsoft.com>
To: 'John Franks' <john@math.nwu.edu>, Dave Kristol <dmk@bell-labs.com>, Yaron Goland <yarong@microsoft.com>
Cc: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5253
There is no harm in allowing BOTH client and server to each generate part of
the nonce, and much good -- it makes precomputed dictionary attacks harder.

> ----------
> From: 	Yaron Goland
> Sent: 	Monday, January 19, 1998 10:45 AM
> To: 	'John Franks'; Dave Kristol
> Cc: 	http-wg@cuckoo.hpl.hp.com
> Subject: 	RE: Some comments on Digest Auth
> I think the proposal to allow clients to generate nonces is intriguing but
> it does concern me from a long term security point of view. Experience has
> taught that allowing clients to generate what is essentially server side
> information leads to trouble. For example in DAV we learned a long time
> ago
> to not let clients generate URIs, it tends to break things. In this case
> allowing the client to generate nonces remove's flexibility on the
> server's
> part in how it generates and manages nonces. Furthermore I'm concerned
> with
> behavior through proxies where a proxy may have multiple connections to a
> server and may put a client's request into any one of its connections to
> that server.
> I guess i'm just old fashioned but I always like to err on the side of
> maximum flexibility. In this case that means only giving the server the
> right to generate nonces.
> 		Yaron
Received on Wednesday, 21 January 1998 10:16:41 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:22 UTC