RE: re-use of version URL's [was: some comments from Chris Kaler ...]

> In earlier threads, the response has been that a server writer can
> just tack on a GUID to the version URL to guarantee it isn't re-used
> (RFC-2518 describes a variety of mechanisms for cheaply creating
> GUID's).  
[snip]
> Note that several of the techniques described in 2518, don't
> "guarantee" uniqueness, but rather make it extremely unlikely that
> there will be a collision ... I believe that "extremely unlikely" is
> sufficient for satisfying the "MUST NOT".

As an aside, one good source of "randomness" not mentioned in this
technique is the MAC address on any or all network adaptors in the
machine (the same machine address currently used in UUIDs).

If the MAC address is to be hashed with even slightly random values
(say startup and current times) you have pretty well obliterated 
the security concerns.  Using the MAC address(es) goes a long way 
to insure the uniqueness of the input to the secure hash function.

Not that I'm a member of this working group, but "MUST NOT" with
a vastly improbable chance of collision seems closer to the mark.

--
Preston L. Bannister
preston@home.com
http://members.home.com/preston/ 

Received on Wednesday, 3 January 2001 11:55:44 UTC