On Apr 14, 2004, at 1:57 PM, Ben Laurie wrote:
Correct - it is a nonce-seed.
AuthDigestNonce --> AuthDigestSeed or AuthDigestNonceSeed ?
It should be identical across an XS realm - but different from realm to realm. If one realm is used on multiple
servers (e.g. non sticky loadbalancing) it should be identical across those servers.
As a -lot- of different site's use common realm names (such as 'DAV' or 'webfolder') so it should not
be set to the same as the realm. Hence the IP address advice for single servers. (This is the problem I found
in the wild - recycle a captured wire digest from a common realm name such as 'webfolder', 'dav', 'ical'
and use it on a totally different server to which the user uses the same convenience username and password).
Right. We should be more explicit about the threat model. To that end, how about something like AuthDigestRealmSeed as the name?
I think that makes it clearer, yes.
+1
