I read the latest draft. Something leapt out at me for the first time despite having read it many time -- Digest-Message-Digest. All of my advocacy about incrementing nonces may have been unecessary, because what I want to do *might* be made possible by Digest-Message-Digest, but I can't tell because its description is a little skimpy. So, let me ask some clarifying questions about Digest-Message-Digest, and then explain what I mean. The fields in the Digest-Message-Digest header need to be described to the same level as the ones in the WWW-Authenticate and the Authorization headers. Digest-MessageDigest: username="<username>", realm="<realm>", nonce="<nonce>", message="<message-digest>" I know that the whole header is optional, but, if it is sent, are all the parameters otional too? What is the "nonce=" for? Is its value supposed to replace the one the client is currently using? What purpose might the <username> and <realm> parts of the reply serve -- what might the client do with them? *** IMPORTANT *** If the value of the nonce parameter is supposed to replace the one the client is using, and if this is how current shipping clients (if any) behave, then I will happily withdraw my "incrementing nonce" proposal. A server that wants to prevent replays can give the client a new nonce on each response, constructing it by incrementing or randomizing or timestamps or whatever it wants. PaulReceived on Tuesday, 27 February 1996 10:07:03 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:42:57 UTC