Re: more on Digest Auth

> I thought your comments about replay were quite valuable and on target:
> I wasn't really grokking all the implications or unencrypted replies
> and snooping.

> But your scenario only considers GET.

> I was actually thinking about exposing some admin functions on my
> server via POSTs of form-data.  In which case, I definitely DO care
> about replay. And about end-to-end integrity of the form-data.

> I just don't see that the suggested changes are very big, and they make
> the protocol much more secure, and perhaps able to be used in
> circumstances beyond what was originally intended -- PUT, DELETE, as
> well as POST.

> If this were a really hard set of changes to the draft, I'd give up.
> But they aren't.

I agree with this assessment. Aside from the possibility of specifying
an increment to apply to nonce values, none of what has been discussed
changes the protocol. This is due in part to the lack of specificity
in the draft.


Received on Thursday, 22 February 1996 00:22:41 UTC