W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

RE: Some comments on Digest Auth

From: David W. Morris <dwm@xpasc.com>
Date: Wed, 21 Jan 1998 15:29:49 -0800 (PST)
To: John Franks <john@math.nwu.edu>
Cc: Paul Leach <paulle@microsoft.com>, "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.GSO.3.96.980121152303.5268G-100000@shell1.aimnet.com>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5260

On Wed, 21 Jan 1998, John Franks wrote:

> On Wed, 21 Jan 1998, Paul Leach wrote:
> > 
> > The following criteria are fine by me:
> > 1. Recovery of the password on one system doesn't allow its use on another
> > 2. Replay attacks are limited to a reasonably small time window, and
> > implementations can practically make it quite small.
> > 3. Brute force attack is infeasible on well chosen passwords.
> > 	 
> We are all in agreement here.  I think that the last official
> version of the spec with all references to entity-digest and
> Authentication-info removed pretty well meets these needs if
> a timestamp is used in the nonce.

I don't think there should be a normative requirement that a timestamp
be used in the nonce. The server owns the nonce and could easily
implement some other mechanism including tracking nonces issued and
setting timelimits, perhaps even a moving window reset with each use.

I have no objection for a SHOULD level requirement that the server
implement some form of replay protection, and I have no objection
to text which describes a timestamp and clock-less server version of
nonce handling which achieves Pauls #2 objective.

All given that the WG otherwise agrees that #2 should be part of
the digest specification.

Dave Morris
Received on Wednesday, 21 January 1998 15:31:42 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC