Re: still more Digest auth questions/comments
Dave Kristol (dmk@bell-labs.com)
Fri, 10 Apr 1998 11:56:55 -0400
Whoops! I really blew that. H(A1) is, in fact, the secret for KD().
Dave Kristol
==============
Dave Kristol wrote:
>
> 3.2.1 The WWW-Authenticate Response Header
>
> We define function KD as:
> KD(secret, data) = H(concat(secret, ":", data))
>
> 3.2.2 The Authorization Request Header
>
> The spec. says:
> If the "qop" directive is not present (this construction is for
> compatibility with RFC 2069):
>
> request-digest =
> <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
>
> see below for the defintions for A1 and A2.
>
> If the "qop" value is "auth":
>
> request-digest = <"> < KD ( H(A1), unq(nonce-value)
> ":" nc-value
> ":" unq(cnonce-value)
> ":" unq(qop-value)
> ":" H(A2)
> ) <">
>
> Note that in neither of these uses of KD() are there two arguments!
>
> I believe the first use of KD() is actually incorrect, although the
> description is inherited from RFC 2069. I think it should be H(), not
> KD().
>
> It's not clear to me whether the other use of KD() is correct, or
> whether it, too, should be H(). If it should be H() (and I think so),
> then we should remove all references to KD(), which is not actually
> used.
>
> Dave Kristol