W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

CNONCE: proposed resolution

From: Scott Lawrence <lawrence@agranat.com>
Date: Mon, 03 Aug 1998 20:55:50 +0000
Message-Id: <35C623D6.4DF8F3CF@agranat.com>
To: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
Cc: Paul Leach <paulle@microsoft.com>
In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html and
subsequent messages, the question was raised of how the server should
calculate the various digests if qop=auth or qop=auth-int was sent by the
client, but no cnonce attribute is supplied.

I propose the following clarification for this;

in section 3.2.2 (The Authorization Request Header), append the following to
the description of the cnonce:

    If not present, the null string should be used for this value
    in any digest calculation where 'cnonce' is used.

and add the following text to the end of 4.3 (Limited Use Nonce Values):


   The client generated 'cnonce' value is optional; however, clients
   choosing not to use this mechanism or which do not change the cnonce
   value used cannot authenticate the server, and do not have any message
   integrity protection for responses.

-- 
Scott Lawrence           Consulting Engineer      <lawrence@agranat.com>
Agranat Systems, Inc.  Embedded Web Technology   http://www.agranat.com/
Received on Monday, 3 August 1998 13:58:15 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT