RE: comments on http-authentication-00 from Paul Leach on 1997-12-09 (ietf-http-wg@w3.org from October to December 1997)

From: Paul Leach <paulle@microsoft.com>
Date: Mon, 8 Dec 1997 22:34:46 -0800
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, "'dmk@research.bell-labs.com'" <dmk@research.bell-labs.com>
Message-Id: <5CEA8663F24DD111A96100805FFE658720382B@red-msg-51.dns.microsoft.com>

Another comment. I detected another bug in the spec.  On page 13, it says:

           entity-digest<"> KD (H(A1), unquoted nonce-value ":" Method ":"
                         date ":" entity-info ":" H(entity-body)) <">
                                       ; format is <"> *LHEX <">

should be:

           entity-digest<"> KD (H(H(A1)), unquoted nonce-value ":" Method
":"
                         date ":" entity-info ":" H(entity-body)) <">
                                       ; format is <"> *LHEX <">

It is supposed to be this way so that when you have a centralized key
server, you can send it the initial nonce, the user name, and the
response-digest, it can validate it, and send back H(H(A1)), so that the
server need not ever have H(A1) -- a good thing, because otherwise it would
give the server the ability to authenticate as the user.


> ----------
> From: 	dmk@research.bell-labs.com[SMTP:dmk@research.bell-labs.com]
> Sent: 	Friday, December 05, 1997 9:33 AM
> To: 	http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> Subject: 	comments on http-authentication-00
> 
> I'll bring my usual set of nitpicking editorial comments to the IETF
> meeting for personal delivery.  Meanwhile, here are some substantive
> ones.
> 
> 1) Sect 1.2
> 	[Proxies] MUST forward the WWW-Authenticate and Authorization
> 	headers untouched....
> 
> I would like MUST to be SHOULD.  I've brought this up once before.
> There may be services (LPWA, lpwa.com, is one such) whose legitimate
> purpose is to provide authentication services for a user, such as
> replacing special character sequences in Authorization with a user's
> computed identity.  The proxy ought to be able to do so without being
> considered non-compliant.
> 
> 2) Sect 3.2.1, under "nonce"
> 	... is the dotted quad IP address ...
> 
> How to handle IPv6 addresses?
> 
> 3) Sect 3.2.2, syntax
> 	should be
> 	    entity-digest = <"> ...
> 	    		  ^
> 
> 	The "date" attribute description bears no mention here of what
> 	date we're talking about.  I inferred from text much further on
> 	that it's supposed to mirror the Date header of the
> 	request/response.
> 
> 4) Sect 3.2.2, semantics
> 
> 	Consider sender -> proxy -> receiver.
> 
> 	The entity-digest incorporates information from headers from
> 	the sender.  Consider, for example, Date and Content-Length.  A
> 	proxy could add Date if one were missing.  A proxy could add a
> 	Content-Length after gobbling up something that the sender sent
> 	"chunked".
> 
> 	The receiver wouldn't know that the proxy had added those
> 	headers.  It would use the added headers in its calculation of
> 	entity-digest and derive a different value from what the sender
> 	calculated.
> 
> Dave Kristol
>

Received on Tuesday, 9 December 1997 04:19:00 UTC