RE: Where we stand on Digest Authentication

I read the latest draft. Something leapt out at me for the first time
despite having read it many time -- Digest-Message-Digest. All of my 
advocacy about incrementing nonces may have been unecessary, because 
what I want to do *might* be made possible by Digest-Message-Digest, 
but I can't tell because its description is a little skimpy.

So, let me ask some clarifying questions about Digest-Message-Digest, 
and then explain what I mean.

The fields in the Digest-Message-Digest header need to be described to 
the same level as the ones in the WWW-Authenticate and the 
Authorization headers.


I know that the whole header is optional, but, if it is sent, are all 
the parameters otional too?

What is the "nonce=" for? Is its value supposed to replace the one the 
client is currently using?

What purpose might the <username> and <realm> parts of the reply serve
-- what might the client do with them?


If the value of the nonce parameter is supposed to replace the one the 
client is using,  and if this is how current shipping clients (if any) 
behave, then I will happily withdraw my "incrementing nonce" proposal.
A server that wants to prevent replays can give the client a new nonce 
on each response, constructing it by incrementing or randomizing or 
timestamps or whatever it wants.


Received on Tuesday, 27 February 1996 10:07:03 UTC