W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

questions regarding draft-ietf-http-authentication-01

From: Life is hard... and then you die. <Ronald.Tschalaer@psi.ch>
Date: Thu, 26 Mar 1998 06:59:57 +0200
Message-Id: <98032606595721@psicla.psi.ch>
To: HTTP-WG@cuckoo.hpl.hp.com

Two questions regarding draft-ietf-http-authentication-01:

1)  Section 3.2.2, request-digest description:

	If the "qop" value is "auth":

	   request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
					       ":" nc-value
					       ":" unq(cnonce-value)
					       ":" unq(qop-value)
					       ":" H(A2)
				       ) <">

    Shouldn't that be

	If the "qop" value is "auth" or "auth-int":

    ? Otherwise the calculation of request-digest isn't defined for
    qop auth-int.


2)  Section 3.2.2, "MD5-sess" description:

	This creates a 'session key' for the authentication of subsequent
	requests and responses which is different for each session, thus
	limiting the amount of material hashed with any one key. ...

    How long does a session last? I.e. when should this session key be
    discarded? When the server sends a new nonce or new algorithm?



  Cheers,

  Ronald
Received on Wednesday, 25 March 1998 22:06:32 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT