RE: Some comments on Digest Auth from Paul Leach on 1998-01-21 (ietf-http-wg@w3.org from January to March 1998)

From: Paul Leach <paulle@microsoft.com>
Date: Tue, 20 Jan 1998 16:14:22 -0800
To: 'John Franks' <john@math.nwu.edu>
Cc: Dave Kristol <dmk@bell-labs.com>, Yaron Goland <yarong@microsoft.com>, http-wg@cuckoo.hpl.hp.com
Message-Id: <5CEA8663F24DD111A96100805FFE6587203993@red-msg-51.dns.microsoft.com>

> ----------
> From: 	John Franks[SMTP:john@math.nwu.edu]
> Sent: 	Tuesday, January 20, 1998 3:25 PM
> To: 	Paul Leach
> Cc: 	Dave Kristol; Yaron Goland; http-wg@cuckoo.hpl.hp.com
> Subject: 	RE: Some comments on Digest Auth
> 
> On Tue, 20 Jan 1998, Paul Leach wrote:
> 
> > 
> > > From: 	John Franks[SMTP:john@math.nwu.edu]
> > 
> > > It is also a good idea to embed the requestor's IP address.
> > > 
> 
> > This will be broken when there is a proxy farm, each with its own IP
> > address, and where the client chooses the particular proxy based on the
> > URL.
> > 
> 
> If the client chooses the proxy based on URL it will work because the
> URL requested without credentials (which elicits the nonce) will be
> the same as the URL requested with credentials.  If the first request
> without credentials and the second with credentials are from different
> proxies, then you are right it will break.
> 
And the third and subsequent, with credentials, through a URL-dependent
proxy, will also break.

> > > One thing that I would like to do, but which would conflict with a
> > > pre-delivered list of nonces, is to embed the (strong) ETag of a
> > > document in the nonce.  This is simpler than timestamping and
> > > guarantees that a replay can only retrieve exactly the same document
> > > (which a MITM has presumably already seen when he captured the nonce.)
> > > 
> > Both would be good -- otherwise you can retreive the same document
> > indefinitely into the future.
> > 
> 
> You could only receive *exactly* the same document indefinitely into
> the future as any update of the document changes the ETag.  I don't
> see repeatedly obtaining exactly the same document as a problem with
> idempotent methods like GET.  Of course, PUT and POST are a different
> matter, but I don't think they have ETags.
> 
Actually, my comment (that both Etag and timestamp are good) was wrong. You
can't use an Etag in the nonce, because nonces aren't per-resource. I do a
GET on http://www.foo.com/bar.html, and get a nonce. I use the same nonce
when I do a GET on http://www.foo.com/waz.html.

Paul

Received on Wednesday, 21 January 1998 05:37:24 UTC