- From: Peter Saint-Andre <stpeter@stpeter.im>
- Date: Tue, 06 Mar 2012 12:34:43 -0700
- To: Henrik Nordström <henrik@henriknordstrom.net>
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>
On 3/2/12 1:09 PM, Henrik Nordström wrote: > fre 2012-03-02 klockan 09:57 -0700 skrev Peter Saint-Andre: >> Dear HTTP folks, >> >> I'd appreciate guidance regarding the processing of Erratum #1649, filed >> against RFC 2617 over three years ago. In accordance with >> http://www.ietf.org/iesg/statement/errata-processing.html do people >> think this is a valid erratum, or is further discussion needed? > > It's valid. Thanks for checking. > All MD5 hashes in Digest is in their hex-ascii representation form > (3.1.3). So > > H(data) = MD5(data) > > MD5-sess A1 = H( unq(username-value) ":" unq(realm-value) > ":" passwd ) > ":" unq(nonce-value) ":" unq(cnonce-value) > > Gives that the initial hashed part is the 32-character hex MD5 hash > H( unq(username-value) ":" unq(realm-value) ":" passwd ) > > Note that the example is in general very poor at demonstrating MD5-sess > usage and I would expect many to get the cnonce wrong from looking at > this example code. The code looks innocently capable of MD5-sess when it > in fact is only showing normal MD5 usage. And it does not help that the > code calculates H(A1) directly where the text describing the difference > beteen MD5 and MD5-sess is only looking at A1. Yes, there are lots of interoperability problems with DIGEST auth, and the seemingly poor documentation in RFC 2617 (and, separately, RFC 2831 for SASL) certainly doesn't help. Peter -- Peter Saint-Andre https://stpeter.im/
Received on Tuesday, 6 March 2012 19:35:12 UTC