- From: Jim Whitehead <ejw@cse.ucsc.edu>
- Date: Fri, 26 Oct 2001 10:06:16 -0700
- To: "WebDAV" <w3c-dist-auth@w3.org>
Accidentally caught by the spam filter. I have added Patrick's email address
to the accept2 list, so future email from him will not get caught.
- Jim
-----Original Message-----
From: patrick.mourot@online.fr [mailto:patrick.mourot@online.fr]
Sent: Friday, October 26, 2001 5:09 AM
To: w3c-dist-auth@w3.org
Subject: [Moderator Action] cnonce computing ?
Sir
I'm a bit confused with cnonce in
Computing hash values for authentication.
RFC 2617 (Basic and Digest Access Authentication),
<RFCQUOTE>
3.2.2 The Authorization Request Header
[...]
cnonce
This MUST be specified if a qop directive is sent (see above), and
MUST NOT be specified if the server did not send a qop directive in
the WWW-Authenticate header field.
[...]
3.2.2.1 Request-Digest
[...]
If the "qop" directive is not present (this construction is for
compatibility with RFC 2069):
request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
See below for the definitions for A1 and A2.
3.2.2.2 A1
[...]
If the "algorithm" directive's value is "MD5-sess", then A1 is
calculated only once - on the first request by the client following
receipt of a WWW-Authenticate challenge from the server. It uses the
server nonce from that challenge, and the first client nonce value to
construct A1 as follows:
A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
":" unq(nonce-value) ":" unq(cnonce-value)
</RFCQUOTE> ^^^^^^^^^^^
If we have no qop and "algorithm" as "MD5-sess", what is cnonce-value
since we don't have a cnonce ? Does it happen ?
TIA
Patrick
Received on Friday, 26 October 2001 13:10:12 UTC