Two questions regarding draft-ietf-http-authentication-01: 1) Section 3.2.2, request-digest description: If the "qop" value is "auth": request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <"> Shouldn't that be If the "qop" value is "auth" or "auth-int": ? Otherwise the calculation of request-digest isn't defined for qop auth-int. 2) Section 3.2.2, "MD5-sess" description: This creates a 'session key' for the authentication of subsequent requests and responses which is different for each session, thus limiting the amount of material hashed with any one key. ... How long does a session last? I.e. when should this session key be discarded? When the server sends a new nonce or new algorithm? Cheers, RonaldReceived on Wednesday, 25 March 1998 22:06:32 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC