W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

APOP - authentication..

From: Peter J Churchyard <pjc@trusted.com>
Date: Mon, 19 Feb 1996 14:37:41 -0500 (EST)
Message-Id: <9602191937.AA19334@hilo.trusted.com>
To: pjc <pjc@hilo.trusted.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
This document describes a simple authentication scheme for http that uses
the APOP mechanism as defined in RFC1725 Post Office Protocol - Version 3.

APOP Authentication scheme.

APOP-Challenge = "APOP" 1*SP apop-realm
apop-realm = "<" nonce "@" hostname ">"
nonce = <Some string that is unique to this reply>
hostname = <the name of the proxy/gateway/server>

The credentials returned on the Authorization header are of the form

Authorization = "Authorization" ":" "APOP," "user=" username
			",digest=" apopdigest
apopdigest = <hexadecimal encoding of the 16 octet value of the MD5 hash of
		the apop-realm followed by the shared secret. Lower case
		version of hex characters only (0-9a-f)>

In RFC1725 the random string is in the 'msg-id' format (RFC822), this 
document allows other similiar strings to be used. The main characterization
is that it should be unique over a substantial period of time.

Note that no attempt is made to directly tie in the requested URL as part of
the scheme. When there may be  multiple connections in parallel it is up to the
authorization point to maintain a cache of outstanding valid challenges and
to allow each challenge to be used at most once.
Received on Monday, 19 February 1996 11:44:04 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:45 EDT