- From: Paul Leach <paulle@microsoft.com>
- Date: Tue, 27 Feb 96 10:07:37 PST
- To: john@math.nwu.edu
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I read the latest draft. Something leapt out at me for the first time
despite having read it many time -- Digest-Message-Digest. All of my
advocacy about incrementing nonces may have been unecessary, because
what I want to do *might* be made possible by Digest-Message-Digest,
but I can't tell because its description is a little skimpy.
So, let me ask some clarifying questions about Digest-Message-Digest,
and then explain what I mean.
The fields in the Digest-Message-Digest header need to be described to
the same level as the ones in the WWW-Authenticate and the
Authorization headers.
Digest-MessageDigest:
username="<username>",
realm="<realm>",
nonce="<nonce>",
message="<message-digest>"
I know that the whole header is optional, but, if it is sent, are all
the parameters otional too?
What is the "nonce=" for? Is its value supposed to replace the one the
client is currently using?
What purpose might the <username> and <realm> parts of the reply serve
-- what might the client do with them?
*** IMPORTANT ***
If the value of the nonce parameter is supposed to replace the one the
client is using, and if this is how current shipping clients (if any)
behave, then I will happily withdraw my "incrementing nonce" proposal.
A server that wants to prevent replays can give the client a new nonce
on each response, constructing it by incrementing or randomizing or
timestamps or whatever it wants.
Paul
Received on Tuesday, 27 February 1996 10:07:03 UTC