[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call for Participation
Rich Salz scripsit: > In the Web world, all SSL-speaking browsers come with a list of root > certificates for CA's that issue SSL-certs. As long as you trust > the certs that came with your browser, then even if I am sitting > as a lonely island completely with everyone one of my IP packets > under your control, you can't fool me. Very true, although eventually those certificates will expire, and then you need a new browser, in which case I've got you. I reread RFC 2617 last night, and it does seem to me that although it is very properly self-deprecating about the level of security provided by digest authentication, it really does provide decent authentication (though not integrity protection or, of course, confidentiality) provided one is clever about server and client nonces. What is more, the level of authentication security can be smoothly traded off against convenience and cacheability, because on a GET a replay attack is pointless: Eve can only learn what the result of that very GET was. (All bets are off if Eve can break the hash function, of course, and it might be worthwhile for someone to update the RFC to make specific reference to SHA1 and SHA1-sess algorithms.) -- We call nothing profound jcowan@r... that is not wittily expressed. John Cowan --Northrop Frye (improved) http://www.reutershealth.com
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|