W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

RE: Where we stand on Digest Authentication

From: Paul Leach <paulle@microsoft.com>
Date: Tue, 27 Feb 96 10:07:37 PST
To: john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960227180053MTP[01.52.00]000000b1-116634
I read the latest draft. Something leapt out at me for the first time
despite having read it many time -- Digest-Message-Digest. All of my 
advocacy about incrementing nonces may have been unecessary, because 
what I want to do *might* be made possible by Digest-Message-Digest, 
but I can't tell because its description is a little skimpy.

So, let me ask some clarifying questions about Digest-Message-Digest, 
and then explain what I mean.


The fields in the Digest-Message-Digest header need to be described to 
the same level as the ones in the WWW-Authenticate and the 
Authorization headers.

Digest-MessageDigest:
              username="<username>",
              realm="<realm>",
              nonce="<nonce>",
              message="<message-digest>"

I know that the whole header is optional, but, if it is sent, are all 
the parameters otional too?

What is the "nonce=" for? Is its value supposed to replace the one the 
client is currently using?

What purpose might the <username> and <realm> parts of the reply serve
-- what might the client do with them?

*** IMPORTANT ***

If the value of the nonce parameter is supposed to replace the one the 
client is using,  and if this is how current shipping clients (if any) 
behave, then I will happily withdraw my "incrementing nonce" proposal.
A server that wants to prevent replays can give the client a new nonce 
on each response, constructing it by incrementing or randomizing or 
timestamps or whatever it wants.

Paul
Received on Tuesday, 27 February 1996 10:07:03 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:47 EDT