W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Authentication issue: NONCE-ETAG proposed resolution (to leave as is)

From: Larry Masinter <masinter@parc.xerox.com>
Date: Tue, 28 Jul 1998 11:07:57 PDT
To: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
Message-Id: <002801bdba52$a61328c0$15d0000d@copper-208.parc.xerox.com>
In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0035.html
Dave Kristol wrote about problems with the example nonce
given in section 3.2.1.

"I think this example for nonce is a poor one..."

citing two reasons: (a) using ETag ties the nonce to a given URI
and (b) some resources may not have an ETag.

However, this is just an example of what a nonce might be, rather than
normative text, and the drawbacks that Dave cites don't affect the
security of the nonce, but rather the performance of nonce reuse,
and the domain of applicability of the example.

So I propose that we leave the text as is. I considered recommending
a disclaimer, but I consider the existing disclaimer

# The contents of the nonce are implementation dependent. The quality
# of the implementation depends on a good choice. 

sufficient.

Proposed resolution: leave as is.

Larry
--
http://www.parc.xerox.com/masinter
 
Received on Tuesday, 28 July 1998 11:10:00 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT