RE: Some comments on Digest Auth

> ----------
> From: 	John Franks[]
> Sent: 	Monday, January 19, 1998 10:41 AM
> To: 	Dave Kristol
> Cc: 	Yaron Goland;
> Subject: 	Re: Some comments on Digest Auth

> It is also a good idea to embed the requestor's IP address.
This will be broken when there is a proxy farm, each with its own IP
address, and where the client uses chooses the particular proxy based on the

> One thing that I would like to do, but which would conflict with a
> pre-delivered list of nonces, is to embed the (strong) ETag of a
> document in the nonce.  This is simpler than timestamping and
> guarantees that a replay can only retrieve exactly the same document
> (which a MITM has presumably already seen when he captured the nonce.)
Both would be good -- otherwise you can retreive the same document
indefinitely into the future.


Received on Wednesday, 21 January 1998 05:07:23 UTC