Re: still more Digest auth questions/comments

Whoops!  I really blew that.  H(A1) is, in fact, the secret for KD().

Dave Kristol
==============
Dave Kristol wrote:
> 
> 3.2.1 The WWW-Authenticate Response Header
> 
> We define function KD as:
>       KD(secret, data) = H(concat(secret, ":", data))
> 
> 3.2.2 The Authorization Request Header
> 
> The spec. says:
>     If the "qop" directive is not present (this construction is for
>     compatibility with RFC 2069):
> 
>        request-digest  =
>                   <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
> 
>     see below for the defintions for A1 and A2.
> 
>     If the "qop" value is "auth":
> 
>        request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
>                                            ":" nc-value
>                                            ":" unq(cnonce-value)
>                                            ":" unq(qop-value)
>                                            ":" H(A2)
>                                    ) <">
> 
> Note that in neither of these uses of KD() are there two arguments!
> 
> I believe the first use of KD() is actually incorrect, although the
> description is inherited from RFC 2069.  I think it should be H(), not
> KD().
> 
> It's not clear to me whether the other use of KD() is correct, or
> whether it, too, should be H().  If it should be H() (and I think so),
> then we should remove all references to KD(), which is not actually
> used.
> 
> Dave Kristol

Received on Friday, 10 April 1998 09:00:22 UTC