RFC Errata
RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication", June 1999
Note: This RFC has been obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617
Source of RFC: http (app)
Errata ID: 1914
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Larry Westrick
Date Reported: 2009-10-14
Rejected by: Peter Saint-Andre
Date Rejected: 2011-06-27
Section 3.2.2.1 says:
3.2.2.1 Request-Digest If the "qop" value is "auth" or "auth-int": request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <"> If the "qop" directive is not present (this construction is for compatibility with RFC 2069): request-digest = <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > <">
It should say:
3.2.2.1 Request-Digest If the "qop" value is "auth" or "auth-int": request-digest = <"> < KD ( H(A1) ":" unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" H(A2) ) <"> If the "qop" directive is not present (this construction is for compatibility with RFC 2069): request-digest = <"> < KD ( H(A1) ":" unq(nonce-value) ":" H(A2) ) > <">
Notes:
Errata 1796 addressing this issue and was rejected, perhaps for editorial or syntax reasons, when the section as it exists does not indicate the need for a ":" between A1 and unq(nonce-value). The ":" is most certainly required between these variables if the result of the hash is to be correct.
--VERIFIER NOTES--
The verifier notes on the rejected Erratum 1796 were as follows:
###
KD is defined in the document as:
KD(secret, data) = H(concat(secret, ":", data))
So KD takes 2 parameters and the text in the RFC is correct in this respect.
###
If there is good reason to pursue this issue further, please do so outside
the errata process.