W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Is nextnonce mandatory in Authentication-Info?

From: Miguel Garcia <Miguel.An.Garcia@nokia.com>
Date: Thu, 08 Jun 2006 14:26:09 +0300
Message-ID: <44880951.5040801@nokia.com>
To: ietf-http-wg@w3.org


I would like to get feedback about some discussion that popped up 
recently in the IETF AAA WG mailing list.

It is related to RFC 2617 and the interpretation of nextnonce in the 
Authentication-Info header.

Section 3.2.3 of RFC 2617 provides the following ABNF for the 
Authentication-Info header:

         AuthenticationInfo = "Authentication-Info" ":" auth-info
         auth-info          = 1#(nextnonce | [ message-qop ]
                                | [ response-auth ] | [ cnonce ]
                                | [nonce-count] )

This ABNF suggests that the nextnonce is mandatory and the other 
directives are optional.

However, the following paragraph contains a sentence that suggests that 
the nextnonce might be optional:

    "If the
    nextnonce field is present the client SHOULD use it when constructing
    the Authorization header for its next request."

So... there seems to be a contradiction between the ABNF and the text 
"if the nextnonce field is present...". Can I get an opinion of what is 
the common understanding about the nextnonce in Authentication-Info?


           Miguel Garcia

Miguel A. Garcia           tel:+358-50-4804586
Nokia Research Center      Helsinki, Finland
Received on Thursday, 8 June 2006 11:26:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:39 UTC