httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: [PATCH] Candidate 1: Re: 1.3.3x digest/nonce issue
Date Tue, 13 Apr 2004 22:12:40 GMT
Jim Jagielski wrote:
> On Apr 13, 2004, at 11:13 AM, Jim Jagielski wrote:
>  static const char *set_bs2000_account(cmd_parms *cmd, void *dummy, char 
> *name)
>  {
> @@ -3395,6 +3446,9 @@
>    "An HTTP authorization type (e.g., \"Basic\")" },
>  { "AuthName", set_authname, NULL, OR_AUTHCFG, TAKE1,
>    "The authentication realm (e.g. \"Members Only\")" },
> +{ "AuthNonce", set_authnonce, NULL, OR_AUTHCFG, TAKE1,
> +  "An authentication token which should be different for each logical 
> realm. "\
> +  "A random value or the servers IP may be a good choise.\n" },

Surely this advice is not good - this value (according to my reading) is 
the only secret that prevents forgery of nonces. OTOH, its late, and I 
may not be thinking clearly about this - in fact, I'm suspecting that 
forgery of nonces is not an issue - the issue is using the same nonce in 
different realms - but I'll send this anyway just so it gets discussed.

Also, this isn't really a nonce - the constructed value is - this is a 
nonce seed, or something along those lines.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Mime
View raw message