W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

Re: Some comments on Digest Auth

From: Ben Laurie <ben@algroup.co.uk>
Date: Sat, 17 Jan 1998 23:14:33 +0000
Message-Id: <34C13B59.BB0556B0@algroup.co.uk>
To: Yaron Goland <yarong@microsoft.com>
Cc: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5212
Yaron Goland wrote:
> 3) Assuming using a new nonce for every request becomes a MUST it will be
> impossible to use pipelining or concurrent requests. The performance
> implications are chilling. As such we were thinking of an addition to the
> standard which would be 100% backwards compatible but would help with
> performance. The idea is to send a "next-nonce" header which includes a list
> of nonces. The client MUST use the nonces in order, this is necessary to
> make the server's job of tracking nonces tractable. Current clients would
> ignore the header and just use the nonce provided in the authentication
> response header. I am not privy to the black corridors of security so I
> can't be sure this wouldn't weaken the algorithm but it seems to make the
> mechanism no weaker than providing the next nonce in the authentication
> response header.

Seems to me that the problem with this is that you can't enforce "the
client MUST use the nonces in order", partly because multiple
simultaneous connections, for example, could foil the client's best
efforts to obey, by exhibiting variable delay, and partly because the
client may be multithreaded, so synchronizing the sending of the nonces
with each other (as opposed to the acquisition of them, which is
trivially synchronized) would be onerous.

The way to fix this is to say "the client MUST use each nonce at most
once", perhaps? I think this still makes life easy for the server,



Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache
Received on Saturday, 17 January 1998 15:16:27 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC