Re: Authentication issue CNONCE: Proposed resolution

Dave Kristol (dmk@bell-labs.com)
Fri, 07 Aug 1998 09:52:19 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave Kristol: "Re: ISSUE: Protection space"
Previous message: Paul Leach: "RE: questions regarding draft-ietf-http-authentication-01"
Maybe in reply to: Larry Masinter: "Authentication issue CNONCE: Proposed resolution"
Next in thread: Scott Lawrence: "Re: Authentication issue CNONCE: Proposed resolution"

Paul Leach wrote:
> 
> How about -- if auth= or auth-int= are specified, cnonce= is required and
> MUST be a value never used before by the client?

I concur with the first part.  Is the second part a requirement on the
client, to avoid sending; on the server, to reject if it sees a
duplicate; or both?  I oppose a MUST requirement on the server to reject
a set of credentials that includes a cnonce value that it had seen
before.

BTW, if this is a requirement on the client, is this a prohibition
against sending the same cnonce value to different servers?

Dave Kristol

Next message: Dave Kristol: "Re: ISSUE: Protection space"
Previous message: Paul Leach: "RE: questions regarding draft-ietf-http-authentication-01"
Maybe in reply to: Larry Masinter: "Authentication issue CNONCE: Proposed resolution"
Next in thread: Scott Lawrence: "Re: Authentication issue CNONCE: Proposed resolution"