FW: [Moderator Action] cnonce computing ?

Accidentally caught by the spam filter. I have added Patrick's email address
to the accept2 list, so future email from him will not get caught.

- Jim

-----Original Message-----
From: patrick.mourot@online.fr [mailto:patrick.mourot@online.fr]
Sent: Friday, October 26, 2001 5:09 AM
To: w3c-dist-auth@w3.org
Subject: [Moderator Action] cnonce computing ?


Sir

I'm a bit confused with cnonce in
Computing hash values for authentication.
RFC 2617 (Basic and Digest Access Authentication),

<RFCQUOTE>
3.2.2 The Authorization Request Header

[...]

cnonce
     This MUST be specified if a qop directive is sent (see above), and
     MUST NOT be specified if the server did not send a qop directive in
     the WWW-Authenticate header field.

[...]

3.2.2.1 Request-Digest

[...]

If the "qop" directive is not present (this construction is for
compatibility with RFC 2069):
  request-digest  = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">

See below for the definitions for A1 and A2.

3.2.2.2 A1

[...]

If the "algorithm" directive's value is "MD5-sess", then A1 is
calculated only once - on the first request by the client following
receipt of a WWW-Authenticate challenge from the server.  It uses the
server nonce from that challenge, and the first client nonce value to
construct A1 as follows:

  A1 = H( unq(username-value) ":" unq(realm-value) ":" passwd )
          ":" unq(nonce-value) ":" unq(cnonce-value)

</RFCQUOTE>                            ^^^^^^^^^^^

If we have no qop and "algorithm" as "MD5-sess", what is cnonce-value
since we don't have a cnonce ? Does it happen ?

TIA

Patrick

Received on Friday, 26 October 2001 13:10:12 UTC