- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Fri, 02 Mar 2012 21:09:32 +0100
- To: Peter Saint-Andre <stpeter@stpeter.im>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>
fre 2012-03-02 klockan 09:57 -0700 skrev Peter Saint-Andre:
> Dear HTTP folks,
>
> I'd appreciate guidance regarding the processing of Erratum #1649, filed
> against RFC 2617 over three years ago. In accordance with
> http://www.ietf.org/iesg/statement/errata-processing.html do people
> think this is a valid erratum, or is further discussion needed?
It's valid.
All MD5 hashes in Digest is in their hex-ascii representation form
(3.1.3). So
H(data) = MD5(data)
MD5-sess A1 = H( unq(username-value) ":" unq(realm-value)
":" passwd )
":" unq(nonce-value) ":" unq(cnonce-value)
Gives that the initial hashed part is the 32-character hex MD5 hash
H( unq(username-value) ":" unq(realm-value) ":" passwd )
Note that the example is in general very poor at demonstrating MD5-sess
usage and I would expect many to get the cnonce wrong from looking at
this example code. The code looks innocently capable of MD5-sess when it
in fact is only showing normal MD5 usage. And it does not help that the
code calculates H(A1) directly where the text describing the difference
beteen MD5 and MD5-sess is only looking at A1.
Regards
Henrik
Received on Friday, 2 March 2012 20:10:12 UTC