Re: Digest Auth defending against replay

In previous posts I have hinted at a mechanism where having unique
nonces each time does not need extra roundtrips. Only the first time
needs to. If there are multiple auth points all requiring auth then
an initial shuttle back and forth happens but once end-end is established
no extra round trips are needed.

The authentication point (currently the Origin Server, or the nearest
proxy) piggy-backs the next WWW-Auth or Proxy-Auth on the current
response. So After an initial extra roundtrip, the client always has
a fresh nonce to use.

For multiple connections, the authentication point needs to keep a
limited cache of outstanding nonces. These don't need very long lifetimes
since the protocol is self starting..

So you have strong auth, without any major impact on performance.

Pete.

Received on Monday, 26 February 1996 10:37:30 UTC