Re: digest-md5 realm

[Alexey Melnikov <Alexey.Melnikov@xxxxxxxxxxxxxxxxxxx>]

On 29 Jul 1999 17:24:37 -0400 Lawrence Greenfield <leg+@xxxxxxxxxxxxxx> 
wrote:

> There appears to be a conflict in draft-leach-digest-sasl-03.txt.
> 
> In Section 2.1.1, the "realm" is optional and:
> 
>   This directive is optional; if not present, the client MUST solicit
>   it from the user or have been configured to use a default; a
>   plausible default might be the realm supplied by the user when
>   they logged in to the client system. Multiple realm directives
>   are allowed.
> 
> In Section 2.1.2, the "realm" in the response is:
>   The realm containing the user's account. It MUST be one of the realms
>   from the "digest-challenge", if any were provided. This directive is
>   required unless the server did not provide any realms; otherwise, if
>   not present, or not one of the ones in the "digest-challenge",
>   authentication fails.
> 
> This seems to imply that if a realm was not sent with the challenge, a
> client need not reply with a realm.

I don't agree. If realm was not sent with the challenge client MUST ask
user to type some realm (I still don't like that the user has no way 
to discover realm format. It would be much better if spec says that 
realm MUST be in the form of FQDN or <group>@<host> format)

This means that SASL API should have Realm callback.


The last phrase of section 2.1.2 is ambiguous. I would rather:

This directive is required unless the server did not provide any 
realms; otherwise, if not present in client response, or not one of the 
ones in the "digest-challenge", authentication fails.

> I assume the realm is actually required in the response?

IMHO, client MUST send any realm to server, because it is used in hash 
calculation.

-------------------
Alexey Melnikov
mel@xxxxxxxxxxxxxxxxxxx

* This e-mail message was sent with Execmail V5.0 *