Re: still more Digest Authentication comments

I said:
  > >>The case problem (is it 789ABCDEF or 789abcdef?) is important because
  > >>digests of A1 and A2 themselves get digested in <digest>.  Clearly a
  > >>digest of 789ABCDEF is different from a digest of 789abcdef.

Eric Sink said:
  > >I agree with Dave on this.  It makes a difference, and it's easier to just
  > >be explicit.

Phillip Hallam-Baker responded:
  > Hang on a second. WHERE is this thought to occur?
  > If a Digest is being digested then it is the digest value that is digested. Not
  > the digest converted to base 16, 64 or any other form.
  > This is essential since otherwise it introduces unnecessary transformations
  > when gating HTTP-NG.
  > The Digest is the 128 bits of information. The hexadecimal is nothing other than 
  > a means of transporting the digest. If this is unclear in the spec it should be 
  > made so.
  > Specifying use of upper or lowercase should be irrelevant.

Eric Sink said (in response to another follow-up):
  > I disagree.  I think the choice of base64 vs. base16 is purely arbitrary,
  > since the space savings is hardly significant.  John Franks has already
  > implemented Digest using base16 in his WN server.  Spyglass has already
  > implemented Digest using base16 in our client, which is shipping.  My
  > understanding is that Netscape has implemented Digest using base16 for a
  > future release of their server.
  > I see no compelling reason to change to base64.

FWIW, I've implemented John Franks's scheme in my server using base16.
I think that biased my thinking.  Phillip is right that MD5 is 128 bits,
and nothing need be said about encodings, except for transport.  However,
existing (shipping) implementations tend to carry weight.  Gee, I hope
they made interoperable design choices!

That said,
1) The fact that there has been discussion points out that the spec.
needs to be tightened up to be absolutely clear.  The words I proposed
yesterday(?) would at least impose a particular interpretation that, I
think, would result in consistent (interoperable) implementations.

2) If 16 binary bytes should be used for each of H(A1) and H(A2) in
<digest>, or for H(A1) in <message-digest>, why bother with the ':'s?

Dave Kristol

Received on Thursday, 23 March 1995 07:43:12 UTC