- From: Ben Laurie <ben@algroup.co.uk>
- Date: Tue, 20 Jan 1998 10:08:25 +0000
- To: Yaron Goland <yarong@microsoft.com>
- Cc: 'Dave Kristol' <dmk@bell-labs.com>, http-wg@cuckoo.hpl.hp.com
Yaron Goland wrote: > ASSUMPTION: Avoiding replay attacks is important enough to most implementers > that either the standard will require or implementers will voluntarily > refuse to accept the same nonce twice. As I mentioned in another message, requiring that nonces are only accepted once makes HTTP stateful, and will be difficult to implement in some servers. However, since some servers may want to (at least in some modes) make this requirement, it would seem we need a mechanism to support it. It seems to me that the list-of-nonces (unencumbered by any ordering requirements) is a way to achieve this, which, so long as it is optional, has no impact on servers and clients that do not wish to implement it. I should point out that a server that implements it is likely to have an awful lot of nonces to track. Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686|Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
Received on Tuesday, 20 January 1998 02:12:34 UTC