W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: RFC 2617 erratum on DIGEST auth

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Fri, 02 Mar 2012 21:09:32 +0100
Message-ID: <1330718972.1807.83.camel@home.hno.se>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>
fre 2012-03-02 klockan 09:57 -0700 skrev Peter Saint-Andre:
> Dear HTTP folks,
> 
> I'd appreciate guidance regarding the processing of Erratum #1649, filed
> against RFC 2617 over three years ago. In accordance with
> http://www.ietf.org/iesg/statement/errata-processing.html do people
> think this is a valid erratum, or is further discussion needed?

It's valid.

All MD5 hashes in Digest is in their hex-ascii representation form
(3.1.3). So

         H(data) = MD5(data)

MD5-sess    A1  = H( unq(username-value) ":" unq(realm-value)
                     ":" passwd )
                     ":" unq(nonce-value) ":" unq(cnonce-value)

Gives that the initial hashed part is the 32-character hex MD5 hash
H( unq(username-value) ":" unq(realm-value) ":" passwd )

Note that the example is in general very poor at demonstrating MD5-sess
usage and I would expect many to get the cnonce wrong from looking at
this example code. The code looks innocently capable of MD5-sess when it
in fact is only showing normal MD5 usage. And it does not help that the
code calculates H(A1) directly where the text describing the difference
beteen MD5 and MD5-sess is only looking at A1.

Regards
Henrik
Received on Friday, 2 March 2012 20:10:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT