W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

RE: Authentication issue CNONCE: Proposed resolution

From: Paul Leach <paulle@microsoft.com>
Date: Thu, 6 Aug 1998 22:35:39 -0700
Message-Id: <CB6657D3A5E0D111A97700805FFE65875D7426@red-msg-51.dns.microsoft.com>
To: 'Scott Lawrence' <lawrence@agranat.com>, Larry Masinter <masinter@parc.xerox.com>
Cc: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
How about -- if auth= or auth-int= are specified, cnonce= is required and
MUST be a value never used before by the client?

> -----Original Message-----
> From: Scott Lawrence [mailto:lawrence@agranat.com]
> Sent: Tuesday, July 28, 1998 11:13 AM
> To: Larry Masinter
> Cc: HTTP Working Group
> Subject: Re: Authentication issue CNONCE: Proposed resolution
> 
> 
> Larry Masinter wrote:
> 
> > In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html
> > Dave Kristol wrote:
> > 
> > # 3.2.3 The Authentication-Info Header
> > # cnonce and qop are used in the calculation of 
> response-digest.  The
> > # client is not required to send either cnonce= or auth=.  
> So I assume
> > # (correct?) that the null string is used for values for omitted
> > # attributes in the calculation.
> > 
> > I suggest that this be the correct interpretation, that the null
> > string is used for values for omitted attributes in the calculation.
> > 
> > # If (to use cnonce as the example) cnonce was omitted, should
> > # Authentication-Info omit cnonce, or should it send 
> cnonce=""?  Same
> > # question for auth.
> > 
> > I propose that either MAY be allowed, since they are equivalent.
> 
> I think that this is an acceptable resolution, but that the Security
> Considerations section will need a short paragraph on the 
> implications of
> leaving this out - the server is then not authenticated to 
> the user agent.
> 
> -- 
> Scott Lawrence            Consulting Engineer        
> <lawrence@agranat.com>
> Agranat Systems, Inc.   Embedded Web Technology     
> http://www.agranat.com/
> 
Received on Thursday, 6 August 1998 22:38:23 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT