- From: Paul Leach <paulle@microsoft.com>
- Date: Wed, 21 Feb 96 13:27:36 PST
- To: dmk@allegra.att.com, ned@innosoft.com
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Ned said (]) , in answer to Dave (>): ---------- > Unfortunately, the I-D doesn't talk much about how to generate the > opaque string, and opaque is an important part of preventing replays of > the sort recently discussed here. Unfortunately, I can't figure out > the originator of the algorithm I use to generate opaque, but I think > it was John Franks. In any case, my opaque is an MD5 of > - a server-dependent (compile-time) random number > - a timestamp > - the request IP address > - the (time-dependent) nonce > - the security realm > Opaque in the Authenticate header must match the server's > request-time-calculated value for processing to proceed. ] For the material you've selected to work it should be used as the nonce ] value. This is included in the digest and will have the effect you're trying ] to achieve. The draft also says that the nonce is a "server specified integer value". (It _doesn't_ say if it's *HEX or *DIGIT...) If it included all the material Dave uses, it would be a pretty big integer, and clients probably wouldn't know how to increment it. Changing the spec to say it's *HEX, and that the last 32 bits is the part that clients must increment each time they return it in a request, would enable the implementation of your suggestions. The draft also isn't very specific about what "<message-body>" includes. Does it mean entity-body, or does it include the headers as well? The latter is preferable. Paul
Received on Wednesday, 21 February 1996 13:24:51 UTC