W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

RE: Authentication issue CNONCE: Proposed resolution

From: Paul Leach <paulle@microsoft.com>
Date: Fri, 7 Aug 1998 10:00:53 -0700
Message-Id: <CB6657D3A5E0D111A97700805FFE65875D742F@red-msg-51.dns.microsoft.com>
To: 'Dave Kristol' <dmk@bell-labs.com>
Cc: 'Scott Lawrence' <lawrence@agranat.com>, Larry Masinter <masinter@parc.xerox.com>, HTTP Working Group <http-wg@hplb.hpl.hp.com>
This is a MUST on the client in order for it to ensure its own security, not
in order to interoperate. It imposes no burden on servers.

In order to be safe, it is indeed true that the client should never send the
same value, even to different servers. If a server can predict what the
client will send, then we're back in chosen-plaintext-attack land.

-----Original Message-----
From: Dave Kristol [mailto:dmk@bell-labs.com]
Sent: Friday, August 07, 1998 6:52 AM
To: Paul Leach
Cc: 'Scott Lawrence'; Larry Masinter; HTTP Working Group
Subject: Re: Authentication issue CNONCE: Proposed resolution


Paul Leach wrote:
> 
> How about -- if auth= or auth-int= are specified, cnonce= is required and
> MUST be a value never used before by the client?

I concur with the first part.  Is the second part a requirement on the
client, to avoid sending; on the server, to reject if it sees a
duplicate; or both?  I oppose a MUST requirement on the server to reject
a set of credentials that includes a cnonce value that it had seen
before.

BTW, if this is a requirement on the client, is this a prohibition
against sending the same cnonce value to different servers?

Dave Kristol
Received on Friday, 7 August 1998 10:03:22 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:20 EDT