[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: digest-md5 realm

To: Alexey Melnikov <Alexey.Melnikov@xxxxxxxxxxxxxxxxxxx>
Subject: Re: digest-md5 realm
From: Pete Resnick <presnick@xxxxxxxxxxxx>
Date: Thu, 29 Jul 1999 17:33:28 -0500
Cc: Lawrence Greenfield <leg+@xxxxxxxxxxxxxx>, ietf-sasl@xxxxxxx, Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxxx>, Chris Newman <chris.newman@xxxxxxxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-sasl@xxxxxxx

That's funny; I just wrote to Paul and Chris about exactly this problem.

On 7/29/99 at 3:56 PM -0600, Alexey Melnikov wrote:

On 29 Jul 1999 17:24:37 -0400 Lawrence Greenfield <leg+@xxxxxxxxxxxxxx>
wrote:
There appears to be a conflict in draft-leach-digest-sasl-03.txt.

[...]

This seems to imply that if a realm was not sent with the challenge, a client need not reply with a realm.

Yes, this is poorly written and you've got the meaning exactly right.

I don't agree. If realm was not sent with the challenge client MUST ask user to type some realm...

No. If a realm was not sent, the client can perfectly well answer with an empty string, or with no realm at all (which is equivalent to the empty string realm).

In Section 2.1.1, the "realm" is optional and:

This directive is optional; if not present, the client MUST solicit it from the user or have been configured to use a default; a plausible default might be the realm supplied by the user when they logged in to the client system. Multiple realm directives are allowed.

This is obviously incorrect. If the realm is not present, the client MAY solicit it from the user, use a configured default (for example, a realm supplied when the user logged in to the client system), or use an empty string for the realm.

In Section 2.1.2, the "realm" in the response is:

The realm containing the user's account. It MUST be one of the realms from the "digest-challenge", if any were provided. This directive is required unless the server did not provide any realms; otherwise, if not present, or not one of the ones in the "digest-challenge", authentication fails.

This is just poorly written. It's the word "otherwise" in that clause that screws it up. Replace this with:

The realm containing the user's account. If one or more realms was provided in the "digest-challenge", then the realm directive is required and the value must be one of the realms from the "digest-challenge", or the authentication fails. If no realm was provided in the "digest-challenge", then the realm directive is optional. If the client does send a realm, it MAY be solicited from the user, a configured default (for example, a realm supplied when the user logged in to the client system), or an empty string.

IMHO, client MUST send any realm to server, because it is used in hash calculation.

It can be the empty string. It is not required.

pr
--
Pete Resnick <mailto:presnick@xxxxxxxxxxxx>
Eudora Engineering - QUALCOMM Incorporated
Ph: (217)337-6377 or (619)651-4478, Fax: (619)651-1102

References:
- digest-md5 realm
  - From: Lawrence Greenfield
- Re: digest-md5 realm
  - From: Alexey Melnikov

Prev by Date: Re: digest-md5 realm
Next by Date: Re: digest-md5 realm
Previous by thread: Re: digest-md5 realm
Next by thread: Re: digest-md5 realm
Index(es):
- Date
- Thread