[Standards-JIG] JEP-0070: Transaction ID in Digest method
stpeter at jabber.org
Tue May 30 16:32:29 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Maciek Niedzielski wrote:
> Let's say I want to use JEP-70 with digest method.
> My web browser sends a hash (eg. MD5) of my JID + transaction ID +
> something else. A bit later, as the JEP says:
> "HTTP Server MUST pass the URL, method, JID, and transaction identifier
> to the XMPP Server for confirmation"
> How exactly the server may know the transaction identifier, if it was
> transformed by unidirectional hash function?
> I think that this ID could be passed via cnonce, since it really matches
> the original semantics of this argument.
Section 4.3.2 of JEP-0070 says:
The Digest Access Authentication scheme is defined in RFC 2617. This
scheme specifies that the authorization information shall consist of the
MD5 checksum of the username, the password, a nonce value provided in
the challenge, the HTTP method, and the requested URL. When the realm is
"xmpp", the profile defined herein further specifies that prior to
creating the MD5 checksum the username MUST be a valid JID as described
above, that the password MUST be a transaction identifier as described
above, and that any character in the JID or transaction identifier that
is outside the range of the US-ASCII coded character set MUST be
transformed into a percent-encoded octet as specified in Section 2.1 of
That seems wrong, since there is no "password" entity in digest auth.
Passing the transaction ID via the cnonce seems to be better.
Jabber Software Foundation
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards