questions regarding draft-ietf-http-authentication-01 from Life is hard... and then you die. on 1998-03-26 (ietf-http-wg@w3.org from January to March 1998)

From: Life is hard... and then you die. <Ronald.Tschalaer@psi.ch>
Date: Thu, 26 Mar 1998 06:59:57 +0200
To: HTTP-WG@cuckoo.hpl.hp.com
Message-Id: <98032606595721@psicla.psi.ch>

Two questions regarding draft-ietf-http-authentication-01:

1)  Section 3.2.2, request-digest description:

	If the "qop" value is "auth":

	   request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
					       ":" nc-value
					       ":" unq(cnonce-value)
					       ":" unq(qop-value)
					       ":" H(A2)
				       ) <">

    Shouldn't that be

	If the "qop" value is "auth" or "auth-int":

    ? Otherwise the calculation of request-digest isn't defined for
    qop auth-int.


2)  Section 3.2.2, "MD5-sess" description:

	This creates a 'session key' for the authentication of subsequent
	requests and responses which is different for each session, thus
	limiting the amount of material hashed with any one key. ...

    How long does a session last? I.e. when should this session key be
    discarded? When the server sends a new nonce or new algorithm?



  Cheers,

  Ronald

Received on Wednesday, 25 March 1998 22:06:32 UTC