On Fri, Nov 25, 2016 at 11:36 AM, Sam Kuper <[email protected]> wrote:
> Hi Daniel, > > On 25/11/2016, Daniel McCarney <[email protected]> wrote: > > I can see no good reason for this to be "SHOULD" rather than "MUST". > >> Please can it be changed to "MUST"? Otherwise, a client might have no > >> way of knowing why the request failed, and therefore no reasonable way > >> to proceed. > > > > This seems reasonable, I would also be supportive of a change like this. > > Excellent. Thank you. > Works for me. One of you guys want to send a PR? --Richard > > >> That looks dangerous to me. If the server implements the requirement > >> above, then when Mallory's attempt to replay Alice's request has just > >> failed, the server will reply with a fresh nonce, thereby > >> potentially giving Mallory the means to usurp Alice's session. Ouch! > > > > You start by talking about an adversary that is replaying existing > > messages, > > which causes the badNonce error when the request is replayed the second > > time. But when you say "potentially giving Mallory the means to usurp > > Alice's session", that would require the adversary construct a new signed > > message using the nonce without the participation of Alice - this > shouldn't > > be > > possible in the MITM threat model that the nonce usage is meant to > address. > > Ah, indeed, if the request must contain the new nonce and be signed > with Alice's private key, then you are correct, and my previous reply > (to Philipp) was overly hasty. > > Thanks for your explanation, and apologies to Philipp for my > misunderstanding. > > Sam > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
