| ▲ | throwaway2037 4 hours ago |
| I don't understand the reference. I looked it up here: https://datatracker.ietf.org/doc/html/rfc2617#section-4.3 4.3 Limited Use Nonce Values
The Digest scheme uses a server-specified nonce to seed the
generation of the request-digest value (as specified in section
3.2.2.1 above). As shown in the example nonce in section 3.2.1, the
server is free to construct the nonce such that it may only be used
from a particular client, for a particular resource, for a limited
period of time or number of uses, or any other restrictions. Doing
so strengthens the protection provided against, for example, replay
attacks (see 4.5). However, it should be noted that the method
chosen for generating and checking the nonce also has performance and
resource implications. For example, a server may choose to allow
each nonce value to be used only once by maintaining a record of
whether or not each recently issued nonce has been returned and
sending a next-nonce directive in the Authentication-Info header
field of every response. This protects against even an immediate
replay attack, but has a high cost checking nonce values, and perhaps
more important will cause authentication failures for any pipelined
requests (presumably returning a stale nonce indication). Similarly,
incorporating a request-specific element such as the Etag value for a
resource limits the use of the nonce to that version of the resource
and also defeats pipelining. Thus it may be useful to do so for
methods with side effects but have unacceptable performance for those
that do not.
Can you explain your (assumed) sarcastic remark? |
|
| ▲ | afandian 4 hours ago | parent | next [-] |
| That third word, starting with 'n' is British slang, which you are welcome to look up. Presumably the etymology was in place before it took on its present meaning, but it is not a word I would use in a professional context. My comment was oblique, but not sarcastic. Partly because I didn't want to use the word directly, and partly in keeping with the tone of the original blog post! |
| |
| ▲ | graemep 3 hours ago | parent [-] | | The British usage predates the RFC and probably the cryptographic use. I definitely heard the term in the late 80s. |
|
|
| ▲ | ethersteeds 3 hours ago | parent | prev | next [-] |
| In British slang, "nonce" is a highly offensive term for a sex offender, particularly one who has harmed children. It is considered derogatory and should be used with caution. |
| |
| ▲ | jowsie an hour ago | parent [-] | | I'm guessing this is very context/region dependant. Calling someone a nonce as a bit of banter would be more acceptable than calling them a paedophile when I was growing up. I assume because using the officially recognised term made your accusations seem more ernest, though I've never actually thought much about it before. |
|
|
| ▲ | roryirvine 4 hours ago | parent | prev [-] |
| "number used once" wouldn't be the first definition of that word which springs to mind for most people in the UK. |