Re: const time authentication in bozohttpd

To: Terry Moore <tmm%mcci.com@localhost>
Subject: Re: const time authentication in bozohttpd
From: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Date: Thu, 26 Jun 2014 19:05:00 -0500

On 6/26/14, 6:31 PM, Terry Moore wrote:
> My suggestion only changes the timing of the *failed* authentication
> path. I don't know of any reason why you would want that to be fast,
> especially if authenticating for a computer as the client.

Hi, Terry.

Ah, I see now.  I was thinking the timing for all authentication paths,
successful and failure, needed to be indistinguishable, but I see
now that that's not the case.  The successful path can be as fast as
possible, but all *failure* paths need to be indistinguishable so as to
avoid leaking.  Now I get it.  Sorry for being slow on this.  Thank you
for your continued explanation and patience.

> Is there a reason that "fast authentication denial" is desirable?

For me, no.

Best,

Lewis

Follow-Ups:
- RE: const time authentication in bozohttpd
  - From: Terry Moore

References:
- Re: const time authentication in bozohttpd
  - From: shm
- RE: const time authentication in bozohttpd
  - From: Terry Moore
- Re: const time authentication in bozohttpd
  - From: J. Lewis Muir
- RE: const time authentication in bozohttpd
  - From: Terry Moore
- Re: const time authentication in bozohttpd
  - From: J. Lewis Muir
- RE: const time authentication in bozohttpd
  - From: Terry Moore

Prev by Date: Re: const time authentication in bozohttpd
Next by Date: RE: const time authentication in bozohttpd
Previous by Thread: RE: const time authentication in bozohttpd
Next by Thread: RE: const time authentication in bozohttpd
Indexes:

Home | Main Index | Thread Index | Old Index