RE: Some comments on Digest Auth

On Tue, 20 Jan 1998, Paul Leach wrote:

> > 
> Actually, my comment (that both Etag and timestamp are good) was wrong. You
> can't use an Etag in the nonce, because nonces aren't per-resource. 

They certainly can be.  This is purely an implementation decision.
Some existing implementations work this way.  Nothing in the spec
prohibits this and I doubt if that will change.

Incidentally, whether an implementation is stateful (e.g. remembers all
nonces used) or stateless is also an implementation decision.  I very
much doubt that any consensus could be reached on a specification change
which either requires the server to be stateful or prohibits it from 
being so.

John Franks

Received on Tuesday, 20 January 1998 18:29:28 UTC