- From: Jim Whitehead <ejw@cse.ucsc.edu>
- Date: Fri, 26 Oct 2001 10:06:16 -0700
- To: "WebDAV" <w3c-dist-auth@w3.org>
Accidentally caught by the spam filter. I have added Patrick's email address to the accept2 list, so future email from him will not get caught. - Jim -----Original Message----- From: patrick.mourot@online.fr [mailto:patrick.mourot@online.fr] Sent: Friday, October 26, 2001 5:09 AM To: w3c-dist-auth@w3.org Subject: [Moderator Action] cnonce computing ? Sir I'm a bit confused with cnonce in Computing hash values for authentication. RFC 2617 (Basic and Digest Access Authentication), <RFCQUOTE> 3.2.2 The Authorization Request Header [...] cnonce This MUST be specified if a qop directive is sent (see above), and MUST NOT be specified if the server did not send a qop directive in the WWW-Authenticate header field. [...] 3.2.2.1 Request-Digest [...] If the "qop" directive is not present (this construction is for compatibility with RFC 2069): request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <"> See below for the definitions for A1 and A2. 3.2.2.2 A1 [...] If the "algorithm" directive's value is "MD5-sess", then A1 is calculated only once - on the first request by the client following receipt of a WWW-Authenticate challenge from the server. It uses the server nonce from that challenge, and the first client nonce value to construct A1 as follows: A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value) </RFCQUOTE> ^^^^^^^^^^^ If we have no qop and "algorithm" as "MD5-sess", what is cnonce-value since we don't have a cnonce ? Does it happen ? TIA Patrick
Received on Friday, 26 October 2001 13:10:12 UTC