- From: Ned Freed <NED@innosoft.com>
- Date: Thu, 22 Feb 1996 00:18:21 -0800 (PST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: john@math.nwu.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> I thought your comments about replay were quite valuable and on target: > I wasn't really grokking all the implications or unencrypted replies > and snooping. > But your scenario only considers GET. > I was actually thinking about exposing some admin functions on my > server via POSTs of form-data. In which case, I definitely DO care > about replay. And about end-to-end integrity of the form-data. > I just don't see that the suggested changes are very big, and they make > the protocol much more secure, and perhaps able to be used in > circumstances beyond what was originally intended -- PUT, DELETE, as > well as POST. > If this were a really hard set of changes to the draft, I'd give up. > But they aren't. I agree with this assessment. Aside from the possibility of specifying an increment to apply to nonce values, none of what has been discussed changes the protocol. This is due in part to the lack of specificity in the draft. Ned
Received on Thursday, 22 February 1996 00:22:41 UTC