[361] in WWW Security List Archive
Re: Experimental implementation of SimpleMD5
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Mon Jan 30 19:04:26 1995
To: www-security@ns2.rutgers.edu
cc: hallam@dxal18.cern.ch
In-reply-to: Your message of "Tue, 31 Jan 1995 02:04:01 +0900."
<9501301704.AA02310@link.osf.org>
Date: Tue, 31 Jan 1995 04:30:42 +0900
From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>So this is a timestamp as a nonce, so that the clock skew between
>server and client doesn't matter? Or does the clock skew matter, so
>what is it? Glancing back at your on-line proposal, I find only that
>the timestamp is not currently checked, not how it will be.
The problem is as follows :-
If a nonce is used that is `updated' by the client and server the server must
keep some record of having given out the nonce and what it is. Thus the server
protocol is no longer idempotent and we are faced with the problem that UNIX
process to process communication is so incompetent that we can't get a
forking server to work reliably without special hacks for evey implementation.
CGI scripts are worse :-(
Phill
