- From: John Franks <john@math.nwu.edu>
- Date: Tue, 6 Jan 1998 09:44:01 -0600 (CST)
- To: Scott Lawrence <lawrence@agranat.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Tue, 6 Jan 1998, Scott Lawrence wrote: > > > I would like to > be able to implement it in a single parsing pass over the message, > which is certainly impossible if arbitrary headers may be included > by an attribute in a field that may be sent in a trailer. > I see no problem with a single pass. Remember the actual message headers are irrelevant for authentication purposes. Conversely, the "origin-headers" play no role as HTTP headers, but are used only for authentication. There is no problem if the origin-headers come at the end. The single pass is (1) read entity-body and calculate H(entity-body), (2) read Auth-info and calculate entity-digest using origin-headers field, and (3) compare calculated entity digest with sender supplied entity-digest. A point worth emphasizing is that the actual HTTP headers never get used in any way in the authentication process. > Getting back to the original problem - the prevention of the replay > of a valid message in response to a different request. The server > can already prevent replay of a past client message by changing the > nonce value included in the challenge. I don't understand this. Why wouldn't a man-in-the-middle replay an earlier challenge with a valid, but old, nonce? In fact the MIM would have to do this for the replay attack to work. John Franks john@math.nwu.edu
Received on Tuesday, 6 January 1998 07:46:07 UTC