- From: Dave Kristol <dmk@allegra.att.com>
- Date: Wed, 21 Feb 96 08:59:18 EST
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
There has been a lot of nonce-sense spewed here recently about Digest Authentication. There is a current I-D: http://www.internic.net/internet-drafts/draft-ietf-http-digest-aa-02.txt Unfortunately, the I-D doesn't talk much about how to generate the opaque string, and opaque is an important part of preventing replays of the sort recently discussed here. Unfortunately, I can't figure out the originator of the algorithm I use to generate opaque, but I think it was John Franks. In any case, my opaque is an MD5 of - a server-dependent (compile-time) random number - a timestamp - the request IP address - the (time-dependent) nonce - the security realm Opaque in the Authenticate header must match the server's request-time-calculated value for processing to proceed. An Authenticate for one server is unlikely to work for another. I don't know APOP, so I can't comment on its properties.
Received on Wednesday, 21 February 1996 06:07:21 UTC