W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Re: Authentication issue CNONCE: Proposed resolution

From: Dave Kristol <dmk@bell-labs.com>
Date: Fri, 07 Aug 1998 09:52:19 -0400
Message-Id: <35CB0693.412@bell-labs.com>
To: Paul Leach <paulle@microsoft.com>
Cc: 'Scott Lawrence' <lawrence@agranat.com>, Larry Masinter <masinter@parc.xerox.com>, HTTP Working Group <http-wg@hplb.hpl.hp.com>
Paul Leach wrote:
> 
> How about -- if auth= or auth-int= are specified, cnonce= is required and
> MUST be a value never used before by the client?

I concur with the first part.  Is the second part a requirement on the
client, to avoid sending; on the server, to reject if it sees a
duplicate; or both?  I oppose a MUST requirement on the server to reject
a set of credentials that includes a cnonce value that it had seen
before.

BTW, if this is a requirement on the client, is this a prohibition
against sending the same cnonce value to different servers?

Dave Kristol
Received on Friday, 7 August 1998 06:55:38 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT