W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1996

more on Digest Auth

From: Dave Kristol <dmk@allegra.att.com>
Date: Wed, 21 Feb 96 08:59:18 EST
Message-Id: <9602211359.AA21600@zp.tempo.att.com.tempo.att.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
There has been a lot of nonce-sense spewed here recently about Digest
Authentication.  There is a current I-D:
  http://www.internic.net/internet-drafts/draft-ietf-http-digest-aa-02.txt

Unfortunately, the I-D doesn't talk much about how to generate the
opaque string, and opaque is an important part of preventing replays of
the sort recently discussed here.  Unfortunately, I can't figure out
the originator of the algorithm I use to generate opaque, but I think
it was John Franks.  In any case, my opaque is an MD5 of
	- a server-dependent (compile-time) random number
	- a timestamp
	- the request IP address
	- the (time-dependent) nonce
	- the security realm

Opaque in the Authenticate header must match the server's
request-time-calculated value for processing to proceed.
An Authenticate for one server is unlikely to work for another.

I don't know APOP, so I can't comment on its properties.
Received on Wednesday, 21 February 1996 06:07:21 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:42:57 UTC