W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

RE: Some comments on Digest Auth

From: Yaron Goland <yarong@microsoft.com>
Date: Mon, 19 Jan 1998 14:42:08 -0800
Message-Id: <3FF8121C9B6DD111812100805F31FC0D0113C664@red-msg-59.dns.microsoft.com>
To: "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>
Cc: "'http-wg@cuckoo.hpl.hp.com'" <http-wg@cuckoo.hpl.hp.com>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5241
Oh wait, I thought we were requiring that nonces never be re-used. If not
then that is cool, the next-nonce header should go into a SEPARATE
specification from the draft digest auth proposal. Since it is 100%
compatible with RFC 2069 and the draft digest auth proposal I don't see any
reason to shove it into the main digest auth spec. It can ride on its own.

> -----Original Message-----
> From:	dmk@research.bell-labs.com [SMTP:dmk@research.bell-labs.com]
> Sent:	Monday, January 19, 1998 11:13 AM
> To:	Yaron Goland
> Cc:	http-wg@cuckoo.hpl.hp.com
> Subject:	RE: Some comments on Digest Auth
> Yaron Goland <yarong@microsoft.com> wrote:
>   > ASSUMPTION: Avoiding replay attacks is important enough to most
> implementers
>   > that either the standard will require or implementers will voluntarily
>   > refuse to accept the same nonce twice.
>   > 
>   > GOAL OF THIS MESSAGE: To demonstrates that the current digest auth
>   > mechanism, from the point of view of performance in situations where
> we wish
>   > to prevent replay attacks, is unacceptably sub-optimal.
> Ah, excellent that you set those forth, because I disagree with the
> assumption.
> The purpose of Digest is to replace Basic, with its cleartext
> passwords.  Basic is already subject to replay attacks.  Digest should
> be no more susceptible, and it isn't more susceptible.  By clever
> choice of time-limited nonces, it can easily be less so.  But it isn't
> perfect.  We've known that for a long time.
> So let me hark back to the discussion of a few weeks ago.  Let's not
> try to make Digest do something it was not intended to do.  Let's
> hold replay-proof Digest for digest-ng discussions.
> Dave Kristol
Received on Wednesday, 21 January 1998 05:08:19 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC