Re: Digest mess

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: John Franks: "Re: Digest mess"
• Previous message: John Franks: "Re: Digest mess"
• In reply to: John Franks: "Re: Digest mess"
• Next in thread: Scott Lawrence: "Re: Digest mess"

> John Franks:

> It is the client who must be concerned about reused nonces to avoid
> a replay attack.  To avoid a replay attack the client would have to
> keep a data base of all previous nonces and make sure they are not 
> reused.

  No - it only needs to keep the nonce it used for the outstanding
  request; if that does not produce the correct digest then it is not
  valid even if it would have been valid for some earlier request.  

> Yes a proxy might change the status code.  That is why it needs to be
> replicated in the Authentication-info header.  Hashing the status code
> is what John Mallery was talking about when he said with a few minor
> changes digest could become really useful.  :)

  Ok; that makes sense, but I don't think that we need the dates - they
  are not essential to detecting response replays and they are many more
  bytes.

• Next message: John Franks: "Re: Digest mess"
• Previous message: John Franks: "Re: Digest mess"
• In reply to: John Franks: "Re: Digest mess"
• Next in thread: Scott Lawrence: "Re: Digest mess"