W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2003

RE: RFC 2617 Authentication sessions

From: Adam Roach <adam@dynamicsoft.com>
Date: Mon, 1 Dec 2003 11:00:59 -0600
Message-ID: <9BF66EBF6BEFD942915B4D4D45C051F3E86679@dyn-tx-exch-001.dynamicsoft.com>
To: "'Scott Lawrence'" <scott-http@skrb.org>
Cc: ietf-http-wg@w3.org

> > If we're opening this section for revisions, can we please
> > also address the issue of whether the session key is recalculated
> > when the server sends an Auth-Info header with nextnonce?
> 
> I don't think that is ambiguous given the current text.  If the server
> sends a nextnonce, then it wants the client to start using it.

I agree that such behavior is logical; however, the text that
you just sent out says:

   If the "algorithm" directive's value is "MD5-sess", then A1 is
   calculated only once - on the first request by the client following
   receipt of a WWW-Authenticate challenge from the server.

So... when you get a nextnonce, do you recalculate A1? Is that what
you mean by "start using it?" Or do you calculate A1 "only once -
on the first request by the client following receipt of a
WWW-Authenticate challenge from the server," as the forgoing text
indicates?

/a
Received on Monday, 1 December 2003 12:01:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:25 GMT