Re: Authenticated Transactions: Why Wait Another Year?

Peter J Churchyard (pjc@trusted.com)
Thu, 12 Sep 1996 14:55:19 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ted Hardie: "Comments on new conneg draft"
Previous message: Larry Masinter: "Re: Editorial Revisions to Digest Authentication Spec"
Maybe in reply to: John C. Mallery: "Authenticated Transactions: Why Wait Another Year?"
Next in thread: John Franks: "Editorial Revisions to Digest Authentication Spec"

My only complaint with the optional entity-digest is that it is not bound
with the authentication. 

If a server uses digest to authenticate a user and returns a document with
an entity digest, the client needs to know that the digest was sent. Currently
a man in the middle can remove the digest and then modify the content. Part
of the 'challenge' should be a flag saying whether an entity digest is being 
supplied.

The binding needs to be done also when the client POSTs or PUTs. The 
authentication should include a flag saying that the client did supply an 
entity-digest so that if a man in the middle removes the entity-digest the 
authentication fails.

Peter.
-- 
The TIS Network Security Products Group has moved again!
voice: 301-527-9500x111  fax: 301-527-0482
Room 334, 15204 Omega Drive, Rockville, MD 20850

Next message: Ted Hardie: "Comments on new conneg draft"
Previous message: Larry Masinter: "Re: Editorial Revisions to Digest Authentication Spec"
Maybe in reply to: John C. Mallery: "Authenticated Transactions: Why Wait Another Year?"
Next in thread: John Franks: "Editorial Revisions to Digest Authentication Spec"