- From: Paul Leach <paulle@microsoft.com>
- Date: Tue, 20 Jan 1998 12:54:00 -0800
- To: Dave Kristol <dmk@bell-labs.com>, 'John Franks' <john@math.nwu.edu>
- Cc: Yaron Goland <yarong@microsoft.com>, http-wg@cuckoo.hpl.hp.com
> ---------- > From: John Franks[SMTP:john@math.nwu.edu] > Sent: Monday, January 19, 1998 10:41 AM > To: Dave Kristol > Cc: Yaron Goland; http-wg@cuckoo.hpl.hp.com > Subject: Re: Some comments on Digest Auth > <snip> > It is also a good idea to embed the requestor's IP address. > This will be broken when there is a proxy farm, each with its own IP address, and where the client uses chooses the particular proxy based on the URL. > One thing that I would like to do, but which would conflict with a > pre-delivered list of nonces, is to embed the (strong) ETag of a > document in the nonce. This is simpler than timestamping and > guarantees that a replay can only retrieve exactly the same document > (which a MITM has presumably already seen when he captured the nonce.) > Both would be good -- otherwise you can retreive the same document indefinitely into the future. Paul
Received on Wednesday, 21 January 1998 05:07:23 UTC