Re: Authentication issue CNONCE: Proposed resolution

Scott Lawrence (lawrence@agranat.com)
Fri, 07 Aug 1998 14:14:10 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Spencer Dawkins: "RE: Digest Authentication Challenge Ordering"
Previous message: Dave Kristol: "Re: Digest Authentication Challenge Ordering"
Maybe in reply to: Larry Masinter: "Authentication issue CNONCE: Proposed resolution"
Next in thread: Scott Lawrence: "Re: Authentication issue CNONCE: Proposed resolution"

Paul Leach wrote:
> 
> How about -- if auth= or auth-int= are specified, cnonce= is required and
> MUST be a value never used before by the client?

I like requiring cnonce because it makes the implementation simpler, but the
advice about changing it should be just that - advice.  It does not affect
interoperability.  Put something in the Security Considerations.

-- 
Scott Lawrence           Consulting Engineer      <lawrence@agranat.com>
Agranat Systems, Inc.  Embedded Web Technology   http://www.agranat.com/

Next message: Spencer Dawkins: "RE: Digest Authentication Challenge Ordering"
Previous message: Dave Kristol: "Re: Digest Authentication Challenge Ordering"
Maybe in reply to: Larry Masinter: "Authentication issue CNONCE: Proposed resolution"
Next in thread: Scott Lawrence: "Re: Authentication issue CNONCE: Proposed resolution"