[Standards-JIG] JEP-0070: Transaction ID in Digest method

Peter Saint-Andre stpeter at jabber.org
Tue May 30 16:32:29 UTC 2006

Hash: SHA1

Maciek Niedzielski wrote:
> Let's say I want to use JEP-70 with digest method.
> My web browser sends a hash (eg. MD5) of my JID + transaction ID +
> something else. A bit later, as the JEP says:
> "HTTP Server MUST pass the URL, method, JID, and transaction identifier
> to the XMPP Server for confirmation"
> How exactly the server may know the transaction identifier, if it was
> transformed by unidirectional hash function?
> I think that this ID could be passed via cnonce, since it really matches
> the original semantics of this argument.

Section 4.3.2 of JEP-0070 says:


The Digest Access Authentication scheme is defined in RFC 2617. This
scheme specifies that the authorization information shall consist of the
MD5 checksum of the username, the password, a nonce value provided in
the challenge, the HTTP method, and the requested URL. When the realm is
"xmpp", the profile defined herein further specifies that prior to
creating the MD5 checksum the username MUST be a valid JID as described
above, that the password MUST be a transaction identifier as described
above, and that any character in the JID or transaction identifier that
is outside the range of the US-ASCII coded character set MUST be
transformed into a percent-encoded octet as specified in Section 2.1 of
RFC 3986.


That seems wrong, since there is no "password" entity in digest auth.
Passing the transaction ID via the cnonce seems to be better.


- --
Peter Saint-Andre
Jabber Software Foundation

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060530/93459382/attachment.bin>

More information about the Standards mailing list