W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2003

Re: RFC 2617 Authentication sessions

From: Scott Lawrence <scott-http@skrb.org>
Date: Mon, 01 Dec 2003 10:59:05 -0500
To: Adam Roach <adam@dynamicsoft.com>
Cc: ietf-http-wg@w3.org
Message-ID: <m3fzg4ttpy.fsf@kathmandu.pingtel.com>

Adam Roach <adam@dynamicsoft.com> writes:

>> 3.2.2.2 A1
> ...
>>    This creates a 'session key' for the authentication of subsequent
>>    requests and responses which is different for each "authentication
>>    session", thus limiting the amount of material hashed with any one
>>    key.  (Note: see further discussion of the authentication 
>>    session in
>>    section 3.3.) Because the server need only use the hash of the user
>>    credentials in order to create the A1 value, this 
>>    construction could
>>    be used in conjunction with a third party authentication service so
>>    that the web server would not need the actual password value.  The
>>    specification of such a protocol is beyond the scope of this
>>    specification.
>
> If we're opening this section for revisions, can we please
> also address the issue of whether the session key is recalculated
> when the server sends an Auth-Info header with nextnonce?

I don't think that is ambiguous given the current text.  If the server
sends a nextnonce, then it wants the client to start using it.  I
don't think that servers that are choosing to use MD5-sess mode will
do that very often, but that is a different question and not one that
a standard needs to or should address.

-- 
Scott Lawrence        
  http://skrb.org/scott/
Received on Monday, 1 December 2003 10:59:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:25 GMT