W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1996

Re: more on Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 21 Feb 96 13:27:36 PST
To: dmk@allegra.att.com, ned@innosoft.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960221212023MTP[01.52.00]000000b1-106532
Ned said (]) , in answer to Dave (>):
> Unfortunately, the I-D doesn't talk much about how to generate the
> opaque string, and opaque is an important part of preventing replays of
> the sort recently discussed here.  Unfortunately, I can't figure out
> the originator of the algorithm I use to generate opaque, but I think
> it was John Franks.  In any case, my opaque is an MD5 of

> 	- a server-dependent (compile-time) random number
> 	- a timestamp
> 	- the request IP address
> 	- the (time-dependent) nonce
> 	- the security realm

> Opaque in the Authenticate header must match the server's
> request-time-calculated value for processing to proceed.

] For the material you've selected to work it should be used as the nonce
] value. This is included in the digest and will have the effect you're trying
] to achieve.

The draft also says that the nonce is a "server specified integer 
value". (It _doesn't_ say if it's *HEX or *DIGIT...) If it included all 
the material Dave uses, it would be a pretty big integer, and clients 
probably wouldn't know how to increment it.

Changing the spec to say it's *HEX, and that the last 32 bits is the 
part that clients must increment each time they return it in a request, 
would enable the implementation of your suggestions.

The draft also isn't very specific about what "<message-body>" 
includes.  Does it mean entity-body, or does it include the headers as 
well?  The latter is preferable.

Received on Wednesday, 21 February 1996 13:24:51 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:42:57 UTC