W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

more Digest auth questions/comments

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Thu, 9 Apr 1998 15:25:44 -0400 (EDT)
Message-Id: <199804091925.PAA02308@aleatory.research.bell-labs.com>
To: http-wg@cuckoo.hpl.hp.com
More stupid Digest authentication questions/comments (and some nits).

Dave Kristol
=============

Substantive:
1) Suppose a client wants to get back an entity digest on a GET.
    a) C->S
	GET /foo HTTP/1.1
	...

    b) C<-S
	HTTP/1.1 401 Unauthorized
	WWW-Authenticate: Digest qop="auth, auth-int", s-other-stuff
	...

    c) C->S
	GET /foo HTTP/1.1
	Authorization: Digest qop="auth-in", c-other-stuff
	...

    Now, for qop="auth-int", the client must include H(entity-body) in
    the calculation of A2.  But there is no entity-body.  Does the
    client use the null string when it calculates A2?

2) Same example.  Suppose the server decides, for whatever reason, that
it *can't* calculate the response-digest for AuthenticationInfo.  How
should the server respond?  Error code?  (Which one?)  AuthenticateInfo
header with no rspauth attribute?

Nits:

3.2.1 The WWW-Authenticate Response Header
    has this notation:
	  time-stamp H(time-stamp ":" ETag ":" private-key)
    and this notation:
	  KD(secret, data) = H(concat(secret, ":", data))

    Since the second example is the only instance of concat(), I suggest
    it be changed to be like the rest:
	  KD(secret, data) = H(secret ":" data)

3.2.2 The Authorization Request Header

    "absoluteURL". The "cnonce-value" is an optional  client-chosen
    						    ^-- delete
    value whose purpose is to foil chosen plaintext attacks.
Received on Thursday, 9 April 1998 12:28:47 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT