RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication", June 1999

Note: This RFC has been obsoleted by RFC 7235 RFC 7615 RFC 7616 RFC 7617

Source of RFC: http (app)

Errata ID: 1914
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: Larry Westrick
Date Reported: 2009-10-14
Rejected by: Peter Saint-Andre
Date Rejected: 2011-06-27

Section 3.2.2.1 says:

3.2.2.1 Request-Digest

   If the "qop" value is "auth" or "auth-int":

      request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
                                          ":" nc-value
                                          ":" unq(cnonce-value)
                                          ":" unq(qop-value)
                                          ":" H(A2)
                                  ) <">

   If the "qop" directive is not present (this construction is for
   compatibility with RFC 2069):

      request-digest  =
                 <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) >
   <">


It should say:

3.2.2.1 Request-Digest

   If the "qop" value is "auth" or "auth-int":

      request-digest  = <"> < KD ( H(A1)  ":" unq(nonce-value)
                                          ":" nc-value
                                          ":" unq(cnonce-value)
                                          ":" unq(qop-value)
                                          ":" H(A2)
                                  ) <">

   If the "qop" directive is not present (this construction is for
   compatibility with RFC 2069):

      request-digest  =
                 <"> < KD ( H(A1) ":" unq(nonce-value) ":" H(A2) ) >
   <">


Notes:

Errata 1796 addressing this issue and was rejected, perhaps for editorial or syntax reasons, when the section as it exists does not indicate the need for a ":" between A1 and unq(nonce-value). The ":" is most certainly required between these variables if the result of the hash is to be correct.
--VERIFIER NOTES--
The verifier notes on the rejected Erratum 1796 were as follows:

###

KD is defined in the document as:

KD(secret, data) = H(concat(secret, ":", data))

So KD takes 2 parameters and the text in the RFC is correct in this respect.

###

If there is good reason to pursue this issue further, please do so outside
the errata process.

Report New Errata