[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPDN and AuthMeth/DIGEST-MD5

To: "'Kurt D. Zeilenga'" <kurt@boolean.net>
Subject: RE: LDAPDN and AuthMeth/DIGEST-MD5
From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Date: Fri, 19 Nov 1999 19:02:07 -0800
Cc: ietf-ldapext@netscape.com
Resent-date: Sun, 21 Nov 1999 03:15:39 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"m37YQC.A.t6F.JR9N4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
> Sent: Friday, November 19, 1999 6:17 PM
> To: Mark Wahl

> 
> Lastly, the DIGEST-MD5 mechanism described by AuthMeth does
> not work for DN-based authorization identities.  A canonical
> utf8 representation of DNs is necessary.

I don't think so. From the Digest-MD5 draft:

2.1.2.1	Response-value
The definition of "response-value" above indicates the encoding for its
value -- 32 lower case hex characters. The following definitions show how
the value is computed.
   response-value  = 
      HEX( KD ( HEX(H(A1)),
              { nonce-value, ":" nc-value, ":", 
                cnonce-value, ":", qop-value, ":", HEX(H(A2)) }))
 
If authzid is specified, then A1 is

   A1 = { H( { username-value, ":", realm-value, ":", passwd } ), 
        ":", nonce-value, ":", cnonce-value, ":", authzid-value }

Hence, all that is necessary is that the server use exactly the
authzid-value that the client used to compute A1 -- it does not need to be
canonicalized.

Follow-Ups:
- RE: LDAPDN and AuthMeth/DIGEST-MD5
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>

Prev by Date: RE: LDAPDN and AuthMeth/DIGEST-MD5
Next by Date: RE: LDAPDN and AuthMeth/DIGEST-MD5
Index(es):
- Chronological
- Thread