[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPDN and AuthMeth/DIGEST-MD5




> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
> Sent: Friday, November 19, 1999 6:17 PM
> To: Mark Wahl

> 
> Lastly, the DIGEST-MD5 mechanism described by AuthMeth does
> not work for DN-based authorization identities.  A canonical
> utf8 representation of DNs is necessary.

I don't think so. From the Digest-MD5 draft:

2.1.2.1	Response-value
The definition of "response-value" above indicates the encoding for its
value -- 32 lower case hex characters. The following definitions show how
the value is computed.
   response-value  = 
      HEX( KD ( HEX(H(A1)),
              { nonce-value, ":" nc-value, ":", 
                cnonce-value, ":", qop-value, ":", HEX(H(A2)) }))
 
If authzid is specified, then A1 is

   A1 = { H( { username-value, ":", realm-value, ":", passwd } ), 
        ":", nonce-value, ":", cnonce-value, ":", authzid-value }

Hence, all that is necessary is that the server use exactly the
authzid-value that the client used to compute A1 -- it does not need to be
canonicalized.