RFC Errata
RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication", June 1999
Note: This RFC has been obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617
Source of RFC: http (app)
Errata ID: 1796
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT
Reported By: Jerry Conrad
Date Reported: 2009-06-19
Rejected by: Alexey Melnikov
Date Rejected: 2009-06-19
Section 3.2.2.1 says:
3.2.2.1 Request-Digest If the "qop" value is "auth" or "auth-int": request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <"> If the "qop" directive is not present (this construction is for compatibility with RFC 2069): request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
It should say:
3.2.2.1 Request-Digest If the "qop" value is "auth" or "auth-int": request-digest = <"> < KD ( H(A1) ":" unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <"> If the "qop" directive is not present (this construction is for compatibility with RFC 2069): request-digest = <"> < KD ( H(A1) ":" unq(nonce-value) ":" H(A2) ) > <">
Notes:
The "," after H(A1) should be ":" in two places.
--VERIFIER NOTES--
KD is defined in the document as:
KD(secret, data) = H(concat(secret, ":", data))
So KD takes 2 parameters and the text in the RFC is correct in this respect.