W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

questions regarding draft-ietf-http-authentication-01

From: Life is hard... and then you die. <Ronald.Tschalaer@psi.ch>
Date: Thu, 26 Mar 1998 06:59:57 +0200
Message-Id: <98032606595721@psicla.psi.ch>
To: HTTP-WG@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/5500

Two questions regarding draft-ietf-http-authentication-01:

1)  Section 3.2.2, request-digest description:

	If the "qop" value is "auth":

	   request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
					       ":" nc-value
					       ":" unq(cnonce-value)
					       ":" unq(qop-value)
					       ":" H(A2)
				       ) <">

    Shouldn't that be

	If the "qop" value is "auth" or "auth-int":

    ? Otherwise the calculation of request-digest isn't defined for
    qop auth-int.

2)  Section 3.2.2, "MD5-sess" description:

	This creates a 'session key' for the authentication of subsequent
	requests and responses which is different for each session, thus
	limiting the amount of material hashed with any one key. ...

    How long does a session last? I.e. when should this session key be
    discarded? When the server sends a new nonce or new algorithm?


Received on Wednesday, 25 March 1998 22:06:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC