RE: Some comments on Digest Auth

> ----------
> From: 	John Franks[]
> Sent: 	Tuesday, January 20, 1998 3:25 PM
> To: 	Paul Leach
> Cc: 	Dave Kristol; Yaron Goland;
> Subject: 	RE: Some comments on Digest Auth
> On Tue, 20 Jan 1998, Paul Leach wrote:
> > 
> > > From: 	John Franks[]
> > 
> > > It is also a good idea to embed the requestor's IP address.
> > > 
> > This will be broken when there is a proxy farm, each with its own IP
> > address, and where the client chooses the particular proxy based on the
> > URL.
> > 
> If the client chooses the proxy based on URL it will work because the
> URL requested without credentials (which elicits the nonce) will be
> the same as the URL requested with credentials.  If the first request
> without credentials and the second with credentials are from different
> proxies, then you are right it will break.
And the third and subsequent, with credentials, through a URL-dependent
proxy, will also break.

> > > One thing that I would like to do, but which would conflict with a
> > > pre-delivered list of nonces, is to embed the (strong) ETag of a
> > > document in the nonce.  This is simpler than timestamping and
> > > guarantees that a replay can only retrieve exactly the same document
> > > (which a MITM has presumably already seen when he captured the nonce.)
> > > 
> > Both would be good -- otherwise you can retreive the same document
> > indefinitely into the future.
> > 
> You could only receive *exactly* the same document indefinitely into
> the future as any update of the document changes the ETag.  I don't
> see repeatedly obtaining exactly the same document as a problem with
> idempotent methods like GET.  Of course, PUT and POST are a different
> matter, but I don't think they have ETags.
Actually, my comment (that both Etag and timestamp are good) was wrong. You
can't use an Etag in the nonce, because nonces aren't per-resource. I do a
GET on, and get a nonce. I use the same nonce
when I do a GET on


Received on Wednesday, 21 January 1998 05:37:24 UTC