W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

Re: Digest mess

From: Scott Lawrence <lawrence@agranat.com>
Date: Fri, 19 Dec 1997 09:44:47 -0500 (EST)
To: John Franks <john@math.nwu.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, jg@w3.org, paulle@microsoft.com
Message-Id: <Pine.LNX.3.96.971219094427.23855B-100000@alice.agranat.com>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5030

JF> I think the reason for including dates and expires in a digest is
JF> to prevent replay attacks.  There are many cases where not only is
JF> the information important but the date it was sent is important
JF> (think of a stock quote, for example).

  The digest already includes the server-generated nonce; efficient
  mechanisms already exist in the scheme for a unique nonce for each
  transaction.  Since the nonce and its reusability are controlled by
  the server, this can already be made to match the application

JF> The motivation for including the response status value in the
JF> digest is to have the response from a PUT essentially certify that
JF> the PUT succeeded.

  On the face of it this would seem to be a good idea, but is it
  possible for a proxy to change the response value (as for example
  changing a 303 from a 1.1 origin server to a 302 for a 1.0 user
Received on Monday, 5 January 1998 06:55:07 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC