- From: Paul Leach <paulle@microsoft.com>
- Date: Fri, 7 Aug 1998 10:00:53 -0700
- To: 'Dave Kristol' <dmk@bell-labs.com>
- Cc: 'Scott Lawrence' <lawrence@agranat.com>, Larry Masinter <masinter@parc.xerox.com>, HTTP Working Group <http-wg@hplb.hpl.hp.com>
This is a MUST on the client in order for it to ensure its own security, not in order to interoperate. It imposes no burden on servers. In order to be safe, it is indeed true that the client should never send the same value, even to different servers. If a server can predict what the client will send, then we're back in chosen-plaintext-attack land. -----Original Message----- From: Dave Kristol [mailto:dmk@bell-labs.com] Sent: Friday, August 07, 1998 6:52 AM To: Paul Leach Cc: 'Scott Lawrence'; Larry Masinter; HTTP Working Group Subject: Re: Authentication issue CNONCE: Proposed resolution Paul Leach wrote: > > How about -- if auth= or auth-int= are specified, cnonce= is required and > MUST be a value never used before by the client? I concur with the first part. Is the second part a requirement on the client, to avoid sending; on the server, to reject if it sees a duplicate; or both? I oppose a MUST requirement on the server to reject a set of credentials that includes a cnonce value that it had seen before. BTW, if this is a requirement on the client, is this a prohibition against sending the same cnonce value to different servers? Dave Kristol
Received on Friday, 7 August 1998 10:03:22 UTC