W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

Re: Digest mess

From: John Franks <john@math.nwu.edu>
Date: Tue, 6 Jan 1998 09:44:01 -0600 (CST)
To: Scott Lawrence <lawrence@agranat.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980106092849.467B-100000@hopf.math.nwu.edu>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5075
On Tue, 6 Jan 1998, Scott Lawrence wrote:

>   I would like to
>   be able to implement it in a single parsing pass over the message,
>   which is certainly impossible if arbitrary headers may be included
>   by an attribute in a field that may be sent in a trailer.

I see no problem with a single pass.  Remember the actual message
headers are irrelevant for authentication purposes.  Conversely, the
"origin-headers" play no role as HTTP headers, but are used only for
authentication.  There is no problem if the origin-headers come at the
end.  The single pass is (1) read entity-body and calculate
H(entity-body), (2) read Auth-info and calculate entity-digest using
origin-headers field, and (3) compare calculated entity digest with
sender supplied entity-digest.  A point worth emphasizing is that
the actual HTTP headers never get used in any way in the authentication

>   Getting back to the original problem - the prevention of the replay
>   of a valid message in response to a different request.  The server
>   can already prevent replay of a past client message by changing the
>   nonce value included in the challenge.

I don't understand this.  Why wouldn't a man-in-the-middle replay
an earlier challenge with a valid, but old, nonce?  In fact the
MIM would have to do this for the replay attack to work.

John Franks
Received on Tuesday, 6 January 1998 07:46:07 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC