Is nextnonce mandatory in Authentication-Info? from Miguel Garcia on 2006-06-08 (ietf-http-wg@w3.org from April to June 2006)

From: Miguel Garcia <Miguel.An.Garcia@nokia.com>
Date: Thu, 08 Jun 2006 14:26:09 +0300
To: ietf-http-wg@w3.org
Message-ID: <44880951.5040801@nokia.com>

Hi:

I would like to get feedback about some discussion that popped up 
recently in the IETF AAA WG mailing list.

It is related to RFC 2617 and the interpretation of nextnonce in the 
Authentication-Info header.

Section 3.2.3 of RFC 2617 provides the following ABNF for the 
Authentication-Info header:

         AuthenticationInfo = "Authentication-Info" ":" auth-info
         auth-info          = 1#(nextnonce | [ message-qop ]
                                | [ response-auth ] | [ cnonce ]
                                | [nonce-count] )

This ABNF suggests that the nextnonce is mandatory and the other 
directives are optional.

However, the following paragraph contains a sentence that suggests that 
the nextnonce might be optional:

    "If the
    nextnonce field is present the client SHOULD use it when constructing
    the Authorization header for its next request."


So... there seems to be a contradiction between the ABNF and the text 
"if the nextnonce field is present...". Can I get an opinion of what is 
the common understanding about the nextnonce in Authentication-Info?

Regards,

           Miguel Garcia

-- 
Miguel A. Garcia           tel:+358-50-4804586
sip:miguel.an.garcia@openlaboratory.net
Nokia Research Center      Helsinki, Finland

Received on Thursday, 8 June 2006 11:26:24 UTC