W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: RFC 2617 erratum on DIGEST auth

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Tue, 06 Mar 2012 12:34:43 -0700
Message-ID: <4F5666D3.4010505@stpeter.im>
To: Henrik Nordström <henrik@henriknordstrom.net>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>
On 3/2/12 1:09 PM, Henrik Nordström wrote:
> fre 2012-03-02 klockan 09:57 -0700 skrev Peter Saint-Andre:
>> Dear HTTP folks,
>>
>> I'd appreciate guidance regarding the processing of Erratum #1649, filed
>> against RFC 2617 over three years ago. In accordance with
>> http://www.ietf.org/iesg/statement/errata-processing.html do people
>> think this is a valid erratum, or is further discussion needed?
> 
> It's valid.

Thanks for checking.

> All MD5 hashes in Digest is in their hex-ascii representation form
> (3.1.3). So
> 
>          H(data) = MD5(data)
> 
> MD5-sess    A1  = H( unq(username-value) ":" unq(realm-value)
>                      ":" passwd )
>                      ":" unq(nonce-value) ":" unq(cnonce-value)
> 
> Gives that the initial hashed part is the 32-character hex MD5 hash
> H( unq(username-value) ":" unq(realm-value) ":" passwd )
> 
> Note that the example is in general very poor at demonstrating MD5-sess
> usage and I would expect many to get the cnonce wrong from looking at
> this example code. The code looks innocently capable of MD5-sess when it
> in fact is only showing normal MD5 usage. And it does not help that the
> code calculates H(A1) directly where the text describing the difference
> beteen MD5 and MD5-sess is only looking at A1.

Yes, there are lots of interoperability problems with DIGEST auth, and
the seemingly poor documentation in RFC 2617 (and, separately, RFC 2831
for SASL) certainly doesn't help.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/
Received on Tuesday, 6 March 2012 19:35:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT