httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [PATCH] Candidate 1: Re: 1.3.3x digest/nonce issue
Date Wed, 14 Apr 2004 19:18:17 GMT

On Apr 14, 2004, at 1:57 PM, Ben Laurie wrote:
>> Correct - it is a nonce-seed.
>>         AuthDigestNonce --> AuthDigestSeed or AuthDigestNonceSeed ?
>> It should be identical across an XS realm - but different from realm 
>> to realm. If one realm is used on multiple
>> servers (e.g. non sticky loadbalancing) it should be identical across 
>> those servers.
>> As a -lot- of different site's use common realm names (such as 'DAV' 
>> or 'webfolder') so it should not
>> be set to the same as the realm. Hence the IP address advice for 
>> single servers. (This is the problem I found
>> in the wild - recycle a captured wire digest from a common realm name 
>> such as 'webfolder', 'dav', 'ical'
>> and use it on a totally different server to which the user uses the 
>> same convenience username and password).
>
> Right. We should be more explicit about the threat model. To that end, 
> how about something like AuthDigestRealmSeed as the name?
>
>

I think that makes it clearer, yes.

+1


Mime
View raw message