W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Re: Authentication issue CNONCE: Proposed resolution

From: Dave Kristol <dmk@bell-labs.com>
Date: Fri, 07 Aug 1998 09:52:19 -0400
Message-Id: <35CB0693.412@bell-labs.com>
To: Paul Leach <paulle@microsoft.com>
Cc: 'Scott Lawrence' <lawrence@agranat.com>, Larry Masinter <masinter@parc.xerox.com>, HTTP Working Group <http-wg@hplb.hpl.hp.com>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/311
Paul Leach wrote:
> How about -- if auth= or auth-int= are specified, cnonce= is required and
> MUST be a value never used before by the client?

I concur with the first part.  Is the second part a requirement on the
client, to avoid sending; on the server, to reject if it sees a
duplicate; or both?  I oppose a MUST requirement on the server to reject
a set of credentials that includes a cnonce value that it had seen

BTW, if this is a requirement on the client, is this a prohibition
against sending the same cnonce value to different servers?

Dave Kristol
Received on Friday, 7 August 1998 06:55:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:23 UTC