W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2001

FW: [Moderator Action] cnonce computing ?

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Fri, 26 Oct 2001 10:06:16 -0700
To: "WebDAV" <w3c-dist-auth@w3.org>
Accidentally caught by the spam filter. I have added Patrick's email address
to the accept2 list, so future email from him will not get caught.

- Jim

-----Original Message-----
From: patrick.mourot@online.fr [mailto:patrick.mourot@online.fr]
Sent: Friday, October 26, 2001 5:09 AM
To: w3c-dist-auth@w3.org
Subject: [Moderator Action] cnonce computing ?


I'm a bit confused with cnonce in
Computing hash values for authentication.
RFC 2617 (Basic and Digest Access Authentication),

3.2.2 The Authorization Request Header


     This MUST be specified if a qop directive is sent (see above), and
     MUST NOT be specified if the server did not send a qop directive in
     the WWW-Authenticate header field.

[...] Request-Digest


If the "qop" directive is not present (this construction is for
compatibility with RFC 2069):
  request-digest  = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">

See below for the definitions for A1 and A2. A1


If the "algorithm" directive's value is "MD5-sess", then A1 is
calculated only once - on the first request by the client following
receipt of a WWW-Authenticate challenge from the server.  It uses the
server nonce from that challenge, and the first client nonce value to
construct A1 as follows:

  A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
          ":" unq(nonce-value) ":" unq(cnonce-value)

</RFCQUOTE>                            ^^^^^^^^^^^

If we have no qop and "algorithm" as "MD5-sess", what is cnonce-value
since we don't have a cnonce ? Does it happen ?


Received on Friday, 26 October 2001 13:10:12 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:24 UTC