W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: more on Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 21 Feb 96 13:27:36 PST
To: dmk@allegra.att.com, ned@innosoft.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960221212023MTP[01.52.00]000000b1-106532
Ned said (]) , in answer to Dave (>):
----------
> Unfortunately, the I-D doesn't talk much about how to generate the
> opaque string, and opaque is an important part of preventing replays of
> the sort recently discussed here.  Unfortunately, I can't figure out
> the originator of the algorithm I use to generate opaque, but I think
> it was John Franks.  In any case, my opaque is an MD5 of

> 	- a server-dependent (compile-time) random number
> 	- a timestamp
> 	- the request IP address
> 	- the (time-dependent) nonce
> 	- the security realm

> Opaque in the Authenticate header must match the server's
> request-time-calculated value for processing to proceed.

] For the material you've selected to work it should be used as the nonce
] value. This is included in the digest and will have the effect you're trying
] to achieve.

The draft also says that the nonce is a "server specified integer 
value". (It _doesn't_ say if it's *HEX or *DIGIT...) If it included all 
the material Dave uses, it would be a pretty big integer, and clients 
probably wouldn't know how to increment it.

Changing the spec to say it's *HEX, and that the last 32 bits is the 
part that clients must increment each time they return it in a request, 
would enable the implementation of your suggestions.

The draft also isn't very specific about what "<message-body>" 
includes.  Does it mean entity-body, or does it include the headers as 
well?  The latter is preferable.

Paul
Received on Wednesday, 21 February 1996 13:24:51 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:45 EDT