Hi Daniel, On 25/11/2016, Daniel McCarney <[email protected]> wrote: > I can see no good reason for this to be "SHOULD" rather than "MUST". >> Please can it be changed to "MUST"? Otherwise, a client might have no >> way of knowing why the request failed, and therefore no reasonable way >> to proceed. > > This seems reasonable, I would also be supportive of a change like this.
Excellent. Thank you. >> That looks dangerous to me. If the server implements the requirement >> above, then when Mallory's attempt to replay Alice's request has just >> failed, the server will reply with a fresh nonce, thereby >> potentially giving Mallory the means to usurp Alice's session. Ouch! > > You start by talking about an adversary that is replaying existing > messages, > which causes the badNonce error when the request is replayed the second > time. But when you say "potentially giving Mallory the means to usurp > Alice's session", that would require the adversary construct a new signed > message using the nonce without the participation of Alice - this shouldn't > be > possible in the MITM threat model that the nonce usage is meant to address. Ah, indeed, if the request must contain the new nonce and be signed with Alice's private key, then you are correct, and my previous reply (to Philipp) was overly hasty. Thanks for your explanation, and apologies to Philipp for my misunderstanding. Sam _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
