RE: questions regarding draft-ietf-http-authentication-01 from Paul Leach on 1998-08-07 (ietf-http-wg@w3.org from July to September 1998)

From: Paul Leach <paulle@microsoft.com>
Date: Fri, 7 Aug 1998 01:12:06 -0700
To: 'Scott Lawrence' <lawrence@agranat.com>
Cc: "'http-wg@hplb.hpl.hp.com'" <http-wg@hplb.hpl.hp.com>, "'Ronald.Tschalaer@psi.ch'" <Ronald.Tschalaer@psi.ch>
Message-Id: <CB6657D3A5E0D111A97700805FFE65875D742B@red-msg-51.dns.microsoft.com>

> -----Original Message-----
> From: Scott Lawrence [mailto:lawrence@agranat.com]
> Sent: Sunday, March 29, 1998 10:50 AM
> To: Paul Leach
> Cc: HTTP-WG@cuckoo.hpl.hp.com; 'Ronald.Tschalaer@psi.ch'
> Subject: Re: questions regarding draft-ietf-http-authentication-01
> 
> 
> >> 8) Section 3.2.3: no words prohibit the server from 
> sending, say, a qop
> >> attribute but not a rspauth attribute. Also, while the cnonce is
> >> required to be the same as used in the request, the 
> nonce-count isn't.
> >> Hence I propose the following change in wording:
> >>
> >> Replace
> >>
> >> where "Status-Code" is the status code (e.g., "200") from the
> >> "Status-Line" of the response, as defined in section 6.1 of [2],
> >> and "digest-uri-value" is the value of the "uri" directive on the
> >> Authorization header in the request. The "cnonce-value" MUST be
> >> one for the client request to which this message is the response.
> >>
> >> by
> >>
> >> where "Status-Code" is the status code (e.g., "200") from the
> >> "Status-Line" of the response, as defined in section 6.1 of [2],
> >> and "digest-uri-value" is the value of the "uri" directive on the
> >> Authorization header in the request. The "cnonce-value" and
> >> "nc-value" MUST be the ones used in the client request to which
> >> this message is the response.
> >>
> >> The "response-auth", "cnonce", and "nonce-count" attributes MUST
> >> BE present if "qop=auth" or "qop=auth-int" is specified.
> 
> PL> Good. Thanks for the proposed wording.
> 
>   This was a cut-and-paste error, I think; the nc-value is not used in
>   the construction of the response-digest, so it need not be in the
>   syntax for the Authentication-Info header at all.  From client to
>   server the requests may be pipelined, so we needed the nonce count
>   to prevent replay, but each response is to exactly one unique
>   request, so no count is needed or used.

I don't understand -- the spec says that if qop=auth or auth-int,
   request-digest  = <"> < KD ( H(A1),     unq(nonce-value) 
                                       ":" nc-value 
                                       ":" unq(cnonce-value) 
                                       ":" unq(qop-value) 
                                       ":" H(A2)
                               ) <">
so nc-value is used, and is needed in the Auth-info header.

So, I did the edits that Ron suggested.

Paul

Received on Friday, 7 August 1998 01:14:03 UTC