W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

RE: still more Digest auth questions/comments

From: Darren Anderson <darrenan@microsoft.com>
Date: Fri, 10 Apr 1998 08:54:59 -0700
Message-Id: <2F2DC5CE035DD1118C8E00805FFE354C0406A403@red-msg-56.dns.microsoft.com>
To: 'Dave Kristol' <dmk@research.bell-labs.com>, http-wg@cuckoo.hpl.hp.com
Read carefully, both of the text samples below have a comma after H(A1).
Everything after the comma is an implicit concatenation.  I believe the
samples below are entirely correct.

-----Original Message-----
From: Dave Kristol [mailto:dmk@research.bell-labs.com]
Sent: Friday, April 10, 1998 8:49 AM
To: http-wg@cuckoo.hpl.hp.com
Subject: still more Digest auth questions/comments


3.2.1 The WWW-Authenticate Response Header

We define function KD as:
      KD(secret, data) = H(concat(secret, ":", data))

3.2.2 The Authorization Request Header

The spec. says:
    If the "qop" directive is not present (this construction is for
    compatibility with RFC 2069):

       request-digest  =
		  <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">

    see below for the defintions for A1 and A2.

    If the "qop" value is "auth":

       request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
					   ":" nc-value
					   ":" unq(cnonce-value)
					   ":" unq(qop-value)
					   ":" H(A2)
				   ) <">

Note that in neither of these uses of KD() are there two arguments!

I believe the first use of KD() is actually incorrect, although the
description is inherited from RFC 2069.  I think it should be H(), not
KD().

It's not clear to me whether the other use of KD() is correct, or
whether it, too, should be H().  If it should be H() (and I think so),
then we should remove all references to KD(), which is not actually
used.

Dave Kristol
Received on Friday, 10 April 1998 08:57:34 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT