- From: Life is hard... and then you die. <Ronald.Tschalaer@psi.ch>
- Date: Mon, 17 Nov 1997 04:18:42 +0200
- To: HTTP-WG%cuckoo.hpl.hp.com@hplb.hpl.hp.com
While implementing the client side of the Digest authentication scheme
(RFC-2069 and draft-ietf-http-digest-aa-rev-00.txt) I've hit a few syntax
and other problems.
1) RFC-2069 specifies the domain param in a challenge as
domain = "domain" "=" <"> 1#URI <">
domain
A comma-separated list of URIs, as specified for HTTP/1.0. The
intent is that the client could use this information to know the
set of URIs for which the same authentication information should be
sent. The URIs in this list may exist on different servers. If
this keyword is omitted or empty, the client should assume that the
domain consists of all URIs on the responding server.
However, the list of URIs is not (unambiguously) parseable because the
"," may be part of the URI (it's one of "uchar"). Consider the following
two examples:
domain="http://www.other.com/a/weird,/path"
domain="http://www.other.com/,http://www.this.com/"
Either can be parsed into a single or into two valid URIs.
Studying the syntax given in section 3.2.1 of rfc-1945 I conclude that
the only separators usable would be one of the "unsafe" class minus the
"%". Of those, SP seems the most reasonable choice to me. Therefore I
would suggest changing the domain param definition to:
domain = "domain" "=" <"> URI *( 1*SP URI ) <">
Another issue is that "as specified for HTTP/1.0" is a little unclear.
Does this really mean any URI? Or just http URLs (and possibly related
ones, such as https://...)? And what about relative URIs - I assume that
they are to be interpreted relative to the absolute URI of the request
which elicited this response? Could this be clarified in the spec.
2) Is there a particular reason the syntax for the digest challenge and
credentials does not follow the general syntax given in rfc-1945 and
rfc-2068?
challenge = auth-scheme 1*SP realm *( "," auth-param )
credentials = basic-credentials
| auth-scheme #auth-param
auth-param = token "=" quoted-string
This syntax is violated in three respects in the digest spec:
1: The value parts of the params "stale", "algorithm" and "uri" are not
quoted strings:
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | token )
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
Suggested changes:
stale = "stale" "=" <"> ( "true" | "false" ) <">
algorithm = "algorithm" "=" <"> ( "MD5" | token ) <">
digest-uri-value = <"> request-uri <"> ; As specified by HTTP/1.1
2: The "digest-required" param does not even have a value part:
digest-required = "digest-required"
Suggested change:
digest-required = "digest-required" = <"> ( "true" | "false" ) <">
(with a corresponding change in textual description of this param)
3: The realm need not be the first param in the challenge:
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ digest-required ] )
Suggested change:
digest-challenge = realm 1#( [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ digest-required ] )
Note that all servers which implement the Digest scheme that I've
run into (to wit: Apache, Agranat-EmWeb, WN and DMKHTD) all do
actually send the realm first.
3) The digest-uri-value is defined as:
digest-uri-value = <"> request-uri <"> ; As specified by HTTP/1.1
I believe this is wrong, or at least misleading. When a proxy is involved
the digest-uri-value must be the request-uri that the server will see,
not the one sent by the client (i.e. the absolute path, not the full
absolute uri). I'm not sure how to best describe this in the spec
though.
Cheers,
Ronald
Received on Sunday, 16 November 1997 23:48:27 UTC