- From: Ben Laurie <ben@algroup.co.uk>
- Date: Sat, 17 Jan 1998 23:14:33 +0000
- To: Yaron Goland <yarong@microsoft.com>
- Cc: http-wg@cuckoo.hpl.hp.com
Yaron Goland wrote: > 3) Assuming using a new nonce for every request becomes a MUST it will be > impossible to use pipelining or concurrent requests. The performance > implications are chilling. As such we were thinking of an addition to the > standard which would be 100% backwards compatible but would help with > performance. The idea is to send a "next-nonce" header which includes a list > of nonces. The client MUST use the nonces in order, this is necessary to > make the server's job of tracking nonces tractable. Current clients would > ignore the header and just use the nonce provided in the authentication > response header. I am not privy to the black corridors of security so I > can't be sure this wouldn't weaken the algorithm but it seems to make the > mechanism no weaker than providing the next nonce in the authentication > response header. Seems to me that the problem with this is that you can't enforce "the client MUST use the nonces in order", partly because multiple simultaneous connections, for example, could foil the client's best efforts to obey, by exhibiting variable delay, and partly because the client may be multithreaded, so synchronizing the sending of the nonces with each other (as opposed to the acquisition of them, which is trivially synchronized) would be onerous. The way to fix this is to say "the client MUST use each nonce at most once", perhaps? I think this still makes life easy for the server, right? Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686|Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
Received on Saturday, 17 January 1998 15:16:27 UTC