Opened 8 years ago

Closed 7 years ago

#5 closed defect (fixed)

Is STALE needed?

Reported by: ynir@… Owned by: draft-ietf-httpauth-mutual@…
Priority: major Milestone:
Component: mutual Version:
Severity: Submitted WG Document Keywords: STALE
Cc:

Description

Reported by Yaron

Section 2.3:

The server seldom knows whether the sid value is stale or a new one being tried by an attacker. Why not send a simple 401-INIT instead?

Change History (5)

comment:1 Changed 8 years ago by ynir@…

Additionally, can the server send a hint to the client regarding the expected lifetime of the sid?

comment:2 Changed 8 years ago by ynir@…

  • Component changed from basicauth-enc to mutual
  • Owner changed from draft-ietf-httpauth-basicauth-enc@… to draft-ietf-httpauth-mutual@…

comment:3 Changed 8 years ago by y.oiwa@…

If server has no knowledge whether sid value is stale or a new one being tried by an attacker, server will simply send 401-STALE response.

For additional comment, we have a "time" field serving for the same purpose.

comment:4 Changed 7 years ago by mlepinski.ietf@…

Closing this issue. The latest version describes the use of the 401-Stale response with this mechanism.

comment:5 Changed 7 years ago by mlepinski.ietf@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.