> ---------- > From: John Franks[SMTP:john@math.nwu.edu] > Sent: Tuesday, January 20, 1998 6:23 PM > To: Paul Leach > Cc: Dave Kristol; Yaron Goland; http-wg@cuckoo.hpl.hp.com > Subject: RE: Some comments on Digest Auth > > On Tue, 20 Jan 1998, Paul Leach wrote: > > > > > > Actually, my comment (that both Etag and timestamp are good) was wrong. > You > > can't use an Etag in the nonce, because nonces aren't per-resource. > > They certainly can be. This is purely an implementation decision. > OK, it is, but not a practical one. It would require that every initial request for a URL return 401. That will essentially double the number of round trips. > Some existing implementations work this way. Nothing in the spec > prohibits this and I doubt if that will change. > > Incidentally, whether an implementation is stateful (e.g. remembers all > nonces used) or stateless is also an implementation decision. I very > much doubt that any consensus could be reached on a specification change > which either requires the server to be stateful or prohibits it from > being so. > As long as the stateless one can actually be made more than trivially more secure than Basic. I think we might be well on the way, but let's not forget the priorities. PaulReceived on Wednesday, 21 January 1998 05:07:12 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC