- From: Scott Lawrence <lawrence@agranat.com>
- Date: Mon, 03 Aug 1998 20:55:50 +0000
- To: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
- Cc: Paul Leach <paulle@microsoft.com>
In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html and
subsequent messages, the question was raised of how the server should
calculate the various digests if qop=auth or qop=auth-int was sent by the
client, but no cnonce attribute is supplied.
I propose the following clarification for this;
in section 3.2.2 (The Authorization Request Header), append the following to
the description of the cnonce:
If not present, the null string should be used for this value
in any digest calculation where 'cnonce' is used.
and add the following text to the end of 4.3 (Limited Use Nonce Values):
The client generated 'cnonce' value is optional; however, clients
choosing not to use this mechanism or which do not change the cnonce
value used cannot authenticate the server, and do not have any message
integrity protection for responses.
--
Scott Lawrence Consulting Engineer <lawrence@agranat.com>
Agranat Systems, Inc. Embedded Web Technology http://www.agranat.com/
Received on Monday, 3 August 1998 13:58:15 UTC