There has been a lot of nonce-sense spewed here recently about Digest Authentication. There is a current I-D: http://www.internic.net/internet-drafts/draft-ietf-http-digest-aa-02.txt Unfortunately, the I-D doesn't talk much about how to generate the opaque string, and opaque is an important part of preventing replays of the sort recently discussed here. Unfortunately, I can't figure out the originator of the algorithm I use to generate opaque, but I think it was John Franks. In any case, my opaque is an MD5 of - a server-dependent (compile-time) random number - a timestamp - the request IP address - the (time-dependent) nonce - the security realm Opaque in the Authenticate header must match the server's request-time-calculated value for processing to proceed. An Authenticate for one server is unlikely to work for another. I don't know APOP, so I can't comment on its properties.Received on Wednesday, 21 February 1996 06:07:21 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:42:57 UTC