- From: Dave Kristol <dmk@bell-labs.com>
- Date: Fri, 07 Aug 1998 09:52:19 -0400
- To: Paul Leach <paulle@microsoft.com>
- Cc: 'Scott Lawrence' <lawrence@agranat.com>, Larry Masinter <masinter@parc.xerox.com>, HTTP Working Group <http-wg@hplb.hpl.hp.com>
Paul Leach wrote: > > How about -- if auth= or auth-int= are specified, cnonce= is required and > MUST be a value never used before by the client? I concur with the first part. Is the second part a requirement on the client, to avoid sending; on the server, to reject if it sees a duplicate; or both? I oppose a MUST requirement on the server to reject a set of credentials that includes a cnonce value that it had seen before. BTW, if this is a requirement on the client, is this a prohibition against sending the same cnonce value to different servers? Dave Kristol
Received on Friday, 7 August 1998 06:55:38 UTC