- From: John Franks <john@math.nwu.edu>
- Date: Wed, 21 Jan 1998 17:07:46 -0600 (CST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: "'David W. Morris'" <dwm@xpasc.com>, "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
On Wed, 21 Jan 1998, Paul Leach wrote: > > The following criteria are fine by me: > 1. Recovery of the password on one system doesn't allow its use on another > 2. Replay attacks are limited to a reasonably small time window, and > implementations can practically make it quite small. > 3. Brute force attack is infeasible on well chosen passwords. > We are all in agreement here. I think that the last official version of the spec with all references to entity-digest and Authentication-info removed pretty well meets these needs if a timestamp is used in the nonce. I don't see that further requirements in the spec will buy us much more. John Franks john@math.nwu.edu
Received on Wednesday, 21 January 1998 15:12:32 UTC