W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 1998

Re: still more Digest auth questions/comments

From: Dave Kristol <dmk@bell-labs.com>
Date: Fri, 10 Apr 1998 11:56:55 -0400
Message-Id: <352E4147.3810@bell-labs.com>
To: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/43
Whoops!  I really blew that.  H(A1) is, in fact, the secret for KD().

Dave Kristol
==============
Dave Kristol wrote:
> 
> 3.2.1 The WWW-Authenticate Response Header
> 
> We define function KD as:
>       KD(secret, data) = H(concat(secret, ":", data))
> 
> 3.2.2 The Authorization Request Header
> 
> The spec. says:
>     If the "qop" directive is not present (this construction is for
>     compatibility with RFC 2069):
> 
>        request-digest  =
>                   <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
> 
>     see below for the defintions for A1 and A2.
> 
>     If the "qop" value is "auth":
> 
>        request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
>                                            ":" nc-value
>                                            ":" unq(cnonce-value)
>                                            ":" unq(qop-value)
>                                            ":" H(A2)
>                                    ) <">
> 
> Note that in neither of these uses of KD() are there two arguments!
> 
> I believe the first use of KD() is actually incorrect, although the
> description is inherited from RFC 2069.  I think it should be H(), not
> KD().
> 
> It's not clear to me whether the other use of KD() is correct, or
> whether it, too, should be H().  If it should be H() (and I think so),
> then we should remove all references to KD(), which is not actually
> used.
> 
> Dave Kristol
Received on Friday, 10 April 1998 09:00:22 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:05 UTC