httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: [PATCH] Candidate 1: Re: 1.3.3x digest/nonce issue
Date Wed, 14 Apr 2004 07:27:38 GMT

On Apr 14, 2004, at 12:12 AM, Ben Laurie wrote:

> Surely this advice is not good - this value (according to my reading) 
> is the only secret that prevents forgery of nonces. OTOH, its late, 
> and I may not be thinking clearly about this - in fact, I'm suspecting 
> that forgery of nonces is not an issue - the issue is using the same 
> nonce in different realms - but I'll send this anyway just so it gets 
> discussed.
> Also, this isn't really a nonce - the constructed value is - this is a 
> nonce seed, or something along those lines.
Correct - it is a nonce-seed.
	AuthDigestNonce --> AuthDigestSeed or AuthDigestNonceSeed ?

It should be identical across an XS realm - but different from realm to 
realm. If one realm is used on multiple
servers (e.g. non sticky loadbalancing) it should be identical across 
those servers.

As a -lot- of different site's use common realm names (such as 'DAV' or 
'webfolder') so it should not
be set to the same as the realm. Hence the IP address advice for single 
servers. (This is the problem I found
in the wild - recycle a captured wire digest from a common realm name 
such as 'webfolder', 'dav', 'ical'
and use it on a totally different server to which the user uses the 
same convenience username and password).


View raw message