Re: digest-md5 realm

[Pete Resnick <presnick@xxxxxxxxxxxx>]

On 7/29/99 at 4:23 PM -0700, Claus Assmann wrote:

> On Thu, Jul 29, 1999, Alexey Melnikov wrote:
>
> > This is reasonable example from my point of view and I don't want 
> > to force every server to list all realms.
>
> Good, because it could be a real big list for MTAs etc supporting a 
> large set of virtual domains.

But in this case, there has to be an out-of-band agreement between 
client and server in order for the realm to validate (i.e., it's not 
possible on the wire to know if the chosen realm is legal). So 
perhaps my rewrite of 2.1.2 should be adjusted to:

The realm containing the user's account. If one or more realms was 
provided in the "digest-challenge", then the realm directive is 
required and the value must be one of the realms from the 
"digest-challenge", or the authentication fails. If no realm was 
provided in the "digest-challenge", then the realm directive is 
optional, though the server may still require a realm by some 
out-of-band site policy. In this case, the client MAY solicit the 
realm from the user or use a pre-configured default (for example, a 
realm supplied when the user logged in to the client system). In the 
absence of a realm directive, the realm is the empty string.

I would further rewrite the last part of 2.1.1 to:

This directive is optional. If it is not present, it indicates either 
that no realm needs to be provided by the client (in which case the 
empty string is the realm), or that there is an out-of-band agreement 
between the client and server as to which realm(s) will be accepted.

> IMHO the server could fall back to a default realm (e.g. it's FQDN) 
> if no realm is sent by the client.

I agree with Paul that this is a bad plan. A missing realm should be 
equivalent to an empty string realm. I see no engineering 
justification to make it otherwise.

pr
--
Pete Resnick <mailto:presnick@xxxxxxxxxxxx>
Eudora Engineering - QUALCOMM Incorporated
Ph: (217)337-6377 or (619)651-4478, Fax: (619)651-1102