- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Thu, 9 Apr 1998 15:25:44 -0400 (EDT)
- To: http-wg@cuckoo.hpl.hp.com
More stupid Digest authentication questions/comments (and some nits).
Dave Kristol
=============
Substantive:
1) Suppose a client wants to get back an entity digest on a GET.
a) C->S
GET /foo HTTP/1.1
...
b) C<-S
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest qop="auth, auth-int", s-other-stuff
...
c) C->S
GET /foo HTTP/1.1
Authorization: Digest qop="auth-in", c-other-stuff
...
Now, for qop="auth-int", the client must include H(entity-body) in
the calculation of A2. But there is no entity-body. Does the
client use the null string when it calculates A2?
2) Same example. Suppose the server decides, for whatever reason, that
it *can't* calculate the response-digest for AuthenticationInfo. How
should the server respond? Error code? (Which one?) AuthenticateInfo
header with no rspauth attribute?
Nits:
3.2.1 The WWW-Authenticate Response Header
has this notation:
time-stamp H(time-stamp ":" ETag ":" private-key)
and this notation:
KD(secret, data) = H(concat(secret, ":", data))
Since the second example is the only instance of concat(), I suggest
it be changed to be like the rest:
KD(secret, data) = H(secret ":" data)
3.2.2 The Authorization Request Header
"absoluteURL". The "cnonce-value" is an optional client-chosen
^-- delete
value whose purpose is to foil chosen plaintext attacks.
Received on Thursday, 9 April 1998 12:28:47 UTC