On Apr 14, 2004, at 12:12 AM, Ben Laurie wrote:
Surely this advice is not good - this value (according to my reading) is the only secret that prevents forgery of nonces. OTOH, its late, and I may not be thinking clearly about this - in fact, I'm suspecting that forgery of nonces is not an issue - the issue is using the same nonce in different realms - but I'll send this anyway just so it gets discussed.
Also, this isn't really a nonce - the constructed value is - this is a nonce seed, or something along those lines.
Correct - it is a nonce-seed.
AuthDigestNonce --> AuthDigestSeed or AuthDigestNonceSeed ?It should be identical across an XS realm - but different from realm to realm. If one realm is used on multiple
servers (e.g. non sticky loadbalancing) it should be identical across those servers.
As a -lot- of different site's use common realm names (such as 'DAV' or 'webfolder') so it should not
be set to the same as the realm. Hence the IP address advice for single servers. (This is the problem I found
in the wild - recycle a captured wire digest from a common realm name such as 'webfolder', 'dav', 'ical'
and use it on a totally different server to which the user uses the same convenience username and password).
Dw
