- From: Peter J Churchyard <pjc@trusted.com>
- Date: Mon, 19 Feb 1996 14:37:41 -0500 (EST)
- To: pjc <pjc@hilo.trusted.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
This document describes a simple authentication scheme for http that uses the APOP mechanism as defined in RFC1725 Post Office Protocol - Version 3. APOP Authentication scheme. APOP-Challenge = "APOP" 1*SP apop-realm apop-realm = "<" nonce "@" hostname ">" nonce = <Some string that is unique to this reply> hostname = <the name of the proxy/gateway/server> The credentials returned on the Authorization header are of the form Authorization = "Authorization" ":" "APOP," "user=" username ",digest=" apopdigest apopdigest = <hexadecimal encoding of the 16 octet value of the MD5 hash of the apop-realm followed by the shared secret. Lower case version of hex characters only (0-9a-f)> In RFC1725 the random string is in the 'msg-id' format (RFC822), this document allows other similiar strings to be used. The main characterization is that it should be unique over a substantial period of time. Note that no attempt is made to directly tie in the requested URL as part of the scheme. When there may be multiple connections in parallel it is up to the authorization point to maintain a cache of outstanding valid challenges and to allow each challenge to be used at most once.
Received on Monday, 19 February 1996 11:44:04 UTC