more on Digest Auth

There has been a lot of nonce-sense spewed here recently about Digest
Authentication.  There is a current I-D:

Unfortunately, the I-D doesn't talk much about how to generate the
opaque string, and opaque is an important part of preventing replays of
the sort recently discussed here.  Unfortunately, I can't figure out
the originator of the algorithm I use to generate opaque, but I think
it was John Franks.  In any case, my opaque is an MD5 of
	- a server-dependent (compile-time) random number
	- a timestamp
	- the request IP address
	- the (time-dependent) nonce
	- the security realm

Opaque in the Authenticate header must match the server's
request-time-calculated value for processing to proceed.
An Authenticate for one server is unlikely to work for another.

I don't know APOP, so I can't comment on its properties.

Received on Wednesday, 21 February 1996 06:07:21 UTC