Re: Proposal for new HTTP 1.1 authentication scheme
Dave Kristol (dmk@bell-labs.com)
Tue, 09 Dec 1997 16:32:34 -0500
John Franks wrote:
>
> On Tue, 9 Dec 1997, Dave Kristol wrote:
>
> > I still feel my one objection about proxy-added headers is substantive
> > and unresolved. Briefly, an origin server might omit headers that get
> > figured into the entity-digest calculation. A proxy might subsequently
> > add those headers. The client sees a message *with* the headers,
> > calculates an entity-digest that figures them in, and gets a different
> > answer from what the origin server calculated.
> [...]
> I agree that there is an issue here. The current spec says the
> proxy MUST not add these headers. If I recall you suggested the
> MUST be changed to SHOULD. I am not sure how this helps beyond
> making the proxy technically "legal." It doesn't materially affect
> the problem.
Ummm... I think my "MUST -> SHOULD" had to do with a proxy's changing
the content of headers. I think I see the words to which you're
referring (end of p.13), and they mention Content-Length explicitly but
don't mention Date. And there's a potential problem with
Content-Length: suppose a proxy eats chunked data and wants to create a
complete entity *with* Content-Length. Is it hereby forced to forward
the entity as "chunked" because it's forbidden to add Content-Length?
>
> What should a proxy do in this situation? It seems it must either
> not add headers or break the entity-digest.
I agree it's a dilemma. An option is to require that clients send
Content-Length and (perhaps) not Date, and forbid proxies to add either
within this context.
Dave Kristol