Eliot Lear <[EMAIL PROTECTED]> writes: > In order for this replay to be effective the attacker would have had to > compromised the privacy of the exchange or one end of the > communication.
Yeah, like if it weren't done over TLS. > A cookie approach is reasonable where this risk is > reasonable, and can be further mitigated through brief durations or one > time use depending on need. Do we need more? Well, I think the question is whether such settings are the only ones we're interested in. -Ekr _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
