more Digest auth questions/comments

More stupid Digest authentication questions/comments (and some nits).

Dave Kristol

1) Suppose a client wants to get back an entity digest on a GET.
    a) C->S
	GET /foo HTTP/1.1

    b) C<-S
	HTTP/1.1 401 Unauthorized
	WWW-Authenticate: Digest qop="auth, auth-int", s-other-stuff

    c) C->S
	GET /foo HTTP/1.1
	Authorization: Digest qop="auth-in", c-other-stuff

    Now, for qop="auth-int", the client must include H(entity-body) in
    the calculation of A2.  But there is no entity-body.  Does the
    client use the null string when it calculates A2?

2) Same example.  Suppose the server decides, for whatever reason, that
it *can't* calculate the response-digest for AuthenticationInfo.  How
should the server respond?  Error code?  (Which one?)  AuthenticateInfo
header with no rspauth attribute?


3.2.1 The WWW-Authenticate Response Header
    has this notation:
	  time-stamp H(time-stamp ":" ETag ":" private-key)
    and this notation:
	  KD(secret, data) = H(concat(secret, ":", data))

    Since the second example is the only instance of concat(), I suggest
    it be changed to be like the rest:
	  KD(secret, data) = H(secret ":" data)

3.2.2 The Authorization Request Header

    "absoluteURL". The "cnonce-value" is an optional  client-chosen
    						    ^-- delete
    value whose purpose is to foil chosen plaintext attacks.

Received on Thursday, 9 April 1998 12:28:47 UTC