Re: Digest mess

Scott Lawrence (lawrence@agranat.com)
Fri, 19 Dec 1997 09:44:47 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John Franks: "Re: Digest mess"
Previous message: Vinod Valloppillil: "RE: Digest mess"
In reply to: John Franks: "Re: Digest mess"
Next in thread: John Franks: "Re: Digest mess"
Reply: John Franks: "Re: Digest mess"

JF> I think the reason for including dates and expires in a digest is
JF> to prevent replay attacks.  There are many cases where not only is
JF> the information important but the date it was sent is important
JF> (think of a stock quote, for example).

  The digest already includes the server-generated nonce; efficient
  mechanisms already exist in the scheme for a unique nonce for each
  transaction.  Since the nonce and its reusability are controlled by
  the server, this can already be made to match the application
  requirements.

JF> The motivation for including the response status value in the
JF> digest is to have the response from a PUT essentially certify that
JF> the PUT succeeded.

  On the face of it this would seem to be a good idea, but is it
  possible for a proxy to change the response value (as for example
  changing a 303 from a 1.1 origin server to a 302 for a 1.0 user
  agent)?

Next message: John Franks: "Re: Digest mess"
Previous message: Vinod Valloppillil: "RE: Digest mess"
In reply to: John Franks: "Re: Digest mess"
Next in thread: John Franks: "Re: Digest mess"
Reply: John Franks: "Re: Digest mess"