- From: Paul Leach <paulle@microsoft.com>
- Date: Tue, 20 Jan 1998 18:33:30 -0800
- To: 'John Franks' <john@math.nwu.edu>
- Cc: Dave Kristol <dmk@bell-labs.com>, Yaron Goland <yarong@microsoft.com>, http-wg@cuckoo.hpl.hp.com
> ---------- > From: John Franks[SMTP:john@math.nwu.edu] > Sent: Tuesday, January 20, 1998 6:23 PM > To: Paul Leach > Cc: Dave Kristol; Yaron Goland; http-wg@cuckoo.hpl.hp.com > Subject: RE: Some comments on Digest Auth > > On Tue, 20 Jan 1998, Paul Leach wrote: > > > > > > Actually, my comment (that both Etag and timestamp are good) was wrong. > You > > can't use an Etag in the nonce, because nonces aren't per-resource. > > They certainly can be. This is purely an implementation decision. > OK, it is, but not a practical one. It would require that every initial request for a URL return 401. That will essentially double the number of round trips. > Some existing implementations work this way. Nothing in the spec > prohibits this and I doubt if that will change. > > Incidentally, whether an implementation is stateful (e.g. remembers all > nonces used) or stateless is also an implementation decision. I very > much doubt that any consensus could be reached on a specification change > which either requires the server to be stateful or prohibits it from > being so. > As long as the stateless one can actually be made more than trivially more secure than Basic. I think we might be well on the way, but let's not forget the priorities. Paul
Received on Wednesday, 21 January 1998 05:07:12 UTC