Re: Authentication issue CNONCE: Proposed resolution

Scott Lawrence (lawrence@agranat.com)
Tue, 28 Jul 1998 18:12:53 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Gettys: "Re: Progress on testing HTTP/1.1."
Previous message: Jim Gettys: "Re: Minutes of HTTP/1.1 editorial teleconference, July 24, 1998"
Maybe in reply to: Larry Masinter: "Authentication issue CNONCE: Proposed resolution"
Next in thread: Dave Kristol: "Re: Authentication issue CNONCE: Proposed resolution"

Larry Masinter wrote:

> In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html
> Dave Kristol wrote:
> 
> # 3.2.3 The Authentication-Info Header
> # cnonce and qop are used in the calculation of response-digest.  The
> # client is not required to send either cnonce= or auth=.  So I assume
> # (correct?) that the null string is used for values for omitted
> # attributes in the calculation.
> 
> I suggest that this be the correct interpretation, that the null
> string is used for values for omitted attributes in the calculation.
> 
> # If (to use cnonce as the example) cnonce was omitted, should
> # Authentication-Info omit cnonce, or should it send cnonce=""?  Same
> # question for auth.
> 
> I propose that either MAY be allowed, since they are equivalent.

I think that this is an acceptable resolution, but that the Security
Considerations section will need a short paragraph on the implications of
leaving this out - the server is then not authenticated to the user agent.

-- 
Scott Lawrence            Consulting Engineer        <lawrence@agranat.com>
Agranat Systems, Inc.   Embedded Web Technology     http://www.agranat.com/

Next message: Jim Gettys: "Re: Progress on testing HTTP/1.1."
Previous message: Jim Gettys: "Re: Minutes of HTTP/1.1 editorial teleconference, July 24, 1998"
Maybe in reply to: Larry Masinter: "Authentication issue CNONCE: Proposed resolution"
Next in thread: Dave Kristol: "Re: Authentication issue CNONCE: Proposed resolution"