RFC Errata
RFC 2069, "An Extension to HTTP : Digest Access Authentication", January 1997
Note: This RFC has been obsoleted by RFC 2617
Source of RFC: http (app)See Also: RFC 2069 w/ inline errata
Errata ID: 749
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Frank Ellermann
Date Reported: 2005-02-06
Verifier Name: Alexey Melnikov
Date Verified: 2010-07-11
Section 2.4 says:
RfC 2069 (digest access authentication) chapter 2.4 is an example, the userame is "Mufasa", the password is "CircleOfLife": | username="Mufasa", | realm="testrealm@host.com", | nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", | uri="/dir/index.html", | response="e966c932a9242554e42c8ee200cec7f6", | opaque="5ccc069c403ebaf9f0171e9517f40e41" The "respose" is MD5( MD5( A1 ) || ':' || nonce || ':' || MD5( A2 )) MD5( A1 ) = MD5( username || ':' || realm || ':' || password ) = MD5( "Mufasa:testrealm@host.com:CircleOfLife" ) = "4945ecf42b1bb868634058a845bedde8" MD5( A2 ) = MD5( Method || ':' || digest-uri-value ) = MD5( "GET:/dir/index.html" ) = "39aff3a2bab6126f332b942af96d3366" This results in a response = "1949323746fe6a43ef61f9606e7febea" instead of the shown value = "e966c932a9242554e42c8ee200cec7f6". Quick reality check, the RFC 2617 example uses the same values username = "Mufasa" nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093" realm = "testrealm@host.com" A2 = "GET:/dir/index.html" with a slightly different password = "Circle Of Life" resulting in MD5( A1 ) = "939e7578ed9e3c518a452acee763bce9" The "respose" is MD5( MD5( A1 ) || ':' || X || ':' || MD5( A2 )) for X = "dcd98b7102dd2f0e8b11d0f600bfb0c093:00000001:0a4f113b:auth" and here the response = "6629fae49393a05397450978507c4ef1" works as expected.
It should say:
[not submitted]
Notes:
I've tried to contact two of the RFC 2069 authors about this issue,
but got no reply.
Alexey: note that this problem was addressed in RFC 2617.