[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: LDAPDN and AuthMeth/DIGEST-MD5
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
> Sent: Friday, November 19, 1999 6:17 PM
> To: Mark Wahl
>
> Lastly, the DIGEST-MD5 mechanism described by AuthMeth does
> not work for DN-based authorization identities. A canonical
> utf8 representation of DNs is necessary.
I don't think so. From the Digest-MD5 draft:
2.1.2.1 Response-value
The definition of "response-value" above indicates the encoding for its
value -- 32 lower case hex characters. The following definitions show how
the value is computed.
response-value =
HEX( KD ( HEX(H(A1)),
{ nonce-value, ":" nc-value, ":",
cnonce-value, ":", qop-value, ":", HEX(H(A2)) }))
If authzid is specified, then A1 is
A1 = { H( { username-value, ":", realm-value, ":", passwd } ),
":", nonce-value, ":", cnonce-value, ":", authzid-value }
Hence, all that is necessary is that the server use exactly the
authzid-value that the client used to compute A1 -- it does not need to be
canonicalized.