Re: [Ietf-http-auth] Updating RFC 2617 (HTTP Digest) to use UTF-8 from Ingo Struck on 2006-10-15 (ietf-http-wg@w3.org from October to December 2006)

From: Ingo Struck <lists@ingostruck.de>
Date: Sun, 15 Oct 2006 17:39:42 +0000
To: "Robert Sayre" <sayrer@gmail.com>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <200610151739.43975.lists@ingostruck.de>

Hello Robert,

> I don't think a 2617 update is a good use of time, but I will update
> our networking code in the event an update is completed. MD5-sess is
> essentially unused. An update should drop it.
It is "essentially unused" because essentially nobody
created a correct implementation. As for mozilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=270447
(open since 2004, "Nobody's working on this, feel free to take it"
I would if I had some better knowledge of the internal
ns... data storage api)

I currently implemented a server-side implementation 
of rfc2617 supporting MD5-sess like specified.

Bottom-line of the tests performed is, that nearly any
known rfc2617 client-side implementation is more or less
broken (programmers seem to tend to cut'n'paste the example
code found in the rfc and blindly use it for MD5-sess too,
which is plain wrong).

To sum up only the most severe mal-implementations:
- IE only sends the "opaque" value within the first
  subsequent request, thus rendering MD5-sess basically 
  dysfunctional (you have to combine the sessionid and
  the nounce, instead of being able to use opaque for the
  sid like it is intended)
- some netscape descendants tend to use a stale nonce
  after the server sent an updated nonce
- all netscape/mozilla-based browsers recalculate the 
  session-key for each request (see the bug filed above),
  as well as most other browser implementations (e.g.
  opera)
- opera sends MD5-SESS not MD5-sess
- kio-based browsers send qop and algo quoted
- nonce-count calculus is broken for most clients

I would not drop something, only because it is not widely
used as a result of broken implementations -- the better
way would be to clarify the requirements for a conforming
implementation and the advantages of a working MD5-sess
implementation. In fact MD5-sess could be used as a performance
advantage, both for client and for server implementations:
- both of them need to store some "session state" anyway
  if using digest auth
- usage of MD5-sess saves some MD5-operations (which are
  usually not cheap if you use the common implementations)

Kind regards

Ingo Struck

Received on Sunday, 15 October 2006 16:37:11 UTC