"McDonald, Ira" wrote:
> ...
> I think we want to strongly recommend that IPP Clients use (and
> IPP Printers expect to see used) the 'cnonce' option for better
> authentication, in the IIG.
> ...
IMHO, putting any restriction on the type of digest authentication
to use is outside the scope of IPP - that's a HTTP issue, and the
spec is fairly clear and would allow specific implementation or
sites to require cnonce or other security features of digest.
Also, cnonce does not eliminate man-in-the-middle attacks - you
need to use the MD5-sess algorithm to prevent changing of the
contents of the message body - cnonce only provides another bunch
of data to be added to the password sum and is of limited valid
if the server already provides random nonce values for each
challenge.
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw.com
Printing Software for UNIX http://www.easysw.com