On Wed, 21 Jan 1998, Paul Leach wrote: > > The following criteria are fine by me: > 1. Recovery of the password on one system doesn't allow its use on another > 2. Replay attacks are limited to a reasonably small time window, and > implementations can practically make it quite small. > 3. Brute force attack is infeasible on well chosen passwords. > We are all in agreement here. I think that the last official version of the spec with all references to entity-digest and Authentication-info removed pretty well meets these needs if a timestamp is used in the nonce. I don't see that further requirements in the spec will buy us much more. John Franks john@math.nwu.eduReceived on Wednesday, 21 January 1998 15:12:32 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC