RFC Errata
RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication", June 1999
Note: This RFC has been obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617
Source of RFC: http (app)
Errata ID: 1796
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT
Reported By: Jerry Conrad
Date Reported: 2009-06-19
Rejected by: Alexey Melnikov
Date Rejected: 2009-06-19
Section 3.2.2.1 says:
3.2.2.1 Request-Digest
If the "qop" value is "auth" or "auth-int":
request-digest = <"> < KD ( H(A1), unq(nonce-value)
":" nc-value
":" unq(cnonce-value)
":" unq(qop-value)
":" H(A2)
) <">
If the "qop" directive is not present (this construction is for
compatibility with RFC 2069):
request-digest =
<"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) >
<">
It should say:
3.2.2.1 Request-Digest
If the "qop" value is "auth" or "auth-int":
request-digest = <"> < KD ( H(A1) ":" unq(nonce-value)
":" nc-value
":" unq(cnonce-value)
":" unq(qop-value)
":" H(A2)
) <">
If the "qop" directive is not present (this construction is for
compatibility with RFC 2069):
request-digest =
<"> < KD ( H(A1) ":" unq(nonce-value) ":" H(A2) ) >
<">
Notes:
The "," after H(A1) should be ":" in two places.
--VERIFIER NOTES--
KD is defined in the document as:
KD(secret, data) = H(concat(secret, ":", data))
So KD takes 2 parameters and the text in the RFC is correct in this respect.