- From: Dave Kristol <dmk@bell-labs.com>
- Date: Fri, 10 Apr 1998 11:56:55 -0400
- To: http-wg@cuckoo.hpl.hp.com
Whoops! I really blew that. H(A1) is, in fact, the secret for KD(). Dave Kristol ============== Dave Kristol wrote: > > 3.2.1 The WWW-Authenticate Response Header > > We define function KD as: > KD(secret, data) = H(concat(secret, ":", data)) > > 3.2.2 The Authorization Request Header > > The spec. says: > If the "qop" directive is not present (this construction is for > compatibility with RFC 2069): > > request-digest = > <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <"> > > see below for the defintions for A1 and A2. > > If the "qop" value is "auth": > > request-digest = <"> < KD ( H(A1), unq(nonce-value) > ":" nc-value > ":" unq(cnonce-value) > ":" unq(qop-value) > ":" H(A2) > ) <"> > > Note that in neither of these uses of KD() are there two arguments! > > I believe the first use of KD() is actually incorrect, although the > description is inherited from RFC 2069. I think it should be H(), not > KD(). > > It's not clear to me whether the other use of KD() is correct, or > whether it, too, should be H(). If it should be H() (and I think so), > then we should remove all references to KD(), which is not actually > used. > > Dave Kristol
Received on Friday, 10 April 1998 09:00:22 UTC