- From: Scott Lawrence <lawrence@agranat.com>
- Date: Fri, 19 Dec 1997 10:23:46 -0500 (EST)
- To: John Franks <john@math.nwu.edu>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, jg@w3.org, paulle@microsoft.com
> John Franks: > It is the client who must be concerned about reused nonces to avoid > a replay attack. To avoid a replay attack the client would have to > keep a data base of all previous nonces and make sure they are not > reused. No - it only needs to keep the nonce it used for the outstanding request; if that does not produce the correct digest then it is not valid even if it would have been valid for some earlier request. > Yes a proxy might change the status code. That is why it needs to be > replicated in the Authentication-info header. Hashing the status code > is what John Mallery was talking about when he said with a few minor > changes digest could become really useful. :) Ok; that makes sense, but I don't think that we need the dates - they are not essential to detecting response replays and they are many more bytes.
Received on Monday, 5 January 1998 06:59:26 UTC