Stephen Farrell wrote:
Hi Dale,You may be right.I agree with all that you wrote, except for the "we" bit. I'm not
at all sure that it'd be in our charter to develop any new mutual
authentication schemes, which is what I believe would be needed to
properly bind sTLS and DIGEST-MD5.
Here's another alternative:
SACRED clients will include a unique value received from the TLS server (e.g., during session negotiation) within their digest-MD5 response.
For example, the TLS server's certID could be used to bind the client's digest-MD5 response to the connected TLS server and no others. I believe the client's response is now unusable with any other credential server:
client response = Hash ((Hash(A1)), { nonce-value, ":"nc-value,
":",
cnonce-value, ":", qop-value, ":", HEX(H(A2)) }))
where,
A1 = Hash(user-name:realm:password):server-nonce:client-nonce
A2 = AUTHENTICATE:digest-uri-value:HEX(TLS-server-certID)
Would that do it?