Re: comments on draft-leach-digest-sasl-01.txt

[Alexey Melnikov <mel@xxxxxxxxx>]

RL Bob Morgan wrote:

> (8) Sections 2.1.2.1 and 2.1.3 specify values for factor "A2" when qop
> is "auth" and "auth-int" but not "auth-conf".  Is this an omission or
> is there some reason the auth-conf case is not dealt with here?

IMHO, something is missing.

> (9) If a data stream is protected by auth-int or auth-conf, do the
> messages exchanged during a "subsequent authentication"
> use that protection or not?

I think no. Subsequent authentication means that separate connection is used
(unless protocol supports multiple SASL authentication attempts. I don't know
any protocol, that support this).

> (13) In section 2.1.2.1 on the response-value, the value A1 is defined
> as:
>
>    A1       = { H( { username-value, ":", realm-value, ":", passwd } ),
>                   ":", nonce-value, ":", cnonce-value }
>
> where H(s) is "the 16 octet MD5 hash of the string s".  This
> construction calls for concatenation of octets output by the hash
> function with character strings.  Is this what is intended?

Yes, A1 is calculated as per HTTP-Digest spec.

> All the other concatenations in the spec are between text strings.  Is this
> instead supposed to be:
>
>    A1       = { HEX(H( { username-value, ":", realm-value, ":", passwd } )),
>                   ":", nonce-value, ":", cnonce-value }
>
> ?

--
Regards,
Alexey Melnikov