Re: more on Digest Auth

On Wed, 21 Feb 1996, Paul Leach wrote:

> The draft also says that the nonce is a "server specified integer 
> value". (It _doesn't_ say if it's *HEX or *DIGIT...) If it included all 
> the material Dave uses, it would be a pretty big integer, and clients 
> probably wouldn't know how to increment it.
> Changing the spec to say it's *HEX, and that the last 32 bits is the 
> part that clients must increment each time they return it in a request, 
> would enable the implementation of your suggestions.

Well, now I'm confused.  I have been talking about 
draft-ietf-http-digest-aa-02.txt my version of which is dated
Dec. 20, 1995 and does not contain the word "increment."

What it does say is:

         A server-specified integer value which may be uniquely generated each
         time a 401 response is made.  Servers may defend themselves against
         replay attacks by refusing to reuse nonce values.  The nonce should be
         considered opqaue (sic) by the client."

Being considered "opaque" by the client means that clients don't increment

John Franks 	Dept of Math. Northwestern University

Received on Wednesday, 21 February 1996 15:02:15 UTC