Re: original host name in request/header

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Simon E Spero: "Re: DNS vs HOME PAGE[S]?"
• Previous message: Brian Behlendorf: "Re: Getting full URI to the server"
• Maybe in reply to: Larry Masinter: "original host name in request/header"

Hi folks,


	We seem to have a number of suggestions :-

1) A request line for the original URI
2) A request line with the intended host name

The point is that for the security digest function we have to have (1).
This is because the keyed digest is produced as a function of the URI
to prevent spoof of the URI. [the method is also included].

For the digest to work the original URI has to be reconstructed. This is
not necessarily possible if there is a proxy chain that is preforming 
multiple URI transformations.


So if (1) is going to be there in any case why not use it for this
as well?

Jeff and I are going to be very keen on having the Digest authentication
scheme in HTTP/1.1. The basic scheme is a dangerous security hole - Thank you
ITAR regulations! The Digest scheme has nothing like the flexibility of
Shen/S-HTTP but does allow the Basic scheme to be squished quickly. 


	Phill.

• Next message: Simon E Spero: "Re: DNS vs HOME PAGE[S]?"
• Previous message: Brian Behlendorf: "Re: Getting full URI to the server"
• Maybe in reply to: Larry Masinter: "original host name in request/header"