Re: Proposal for new HTTP 1.1 authentication scheme

Ben Laurie (ben@algroup.co.uk)
Tue, 09 Dec 1997 21:39:39 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Leach: "RE: Proposal for new HTTP 1.1 authentication scheme"
Previous message: Dave Kristol: "Re: Proposal for new HTTP 1.1 authentication scheme"
Maybe in reply to: Eric_Houston/CAM/Lotus@lotus.com: "Proposal for new HTTP 1.1 authentication scheme"
Next in thread: Dave Kristol: "Re: Proposal for new HTTP 1.1 authentication scheme"

Dave Kristol wrote:
> 
> John Franks wrote:
> >
> > On Tue, 9 Dec 1997, Dave Kristol wrote:
> >
> > > I still feel my one objection about proxy-added headers is substantive
> > > and unresolved.  Briefly, an origin server might omit headers that get
> > > figured into the entity-digest calculation.  A proxy might subsequently
> > > add those headers.  The client sees a message *with* the headers,
> > > calculates an entity-digest that figures them in, and gets a different
> > > answer from what the origin server calculated.
> > [...]
> > I agree that there is an issue here.  The current spec says the
> > proxy MUST not add these headers.  If I recall you suggested the
> > MUST be changed to SHOULD.  I am not sure how this helps beyond
> > making the proxy technically "legal."  It doesn't materially affect
> > the problem.
> 
> Ummm...  I think my "MUST -> SHOULD" had to do with a proxy's changing
> the content of headers.  I think I see the words to which you're
> referring (end of p.13), and they mention Content-Length explicitly but
> don't mention Date.  And there's a potential problem with
> Content-Length:  suppose a proxy eats chunked data and wants to create a
> complete entity *with* Content-Length.  Is it hereby forced to forward
> the entity as "chunked" because it's forbidden to add Content-Length?
> >
> > What should a proxy do in this situation?  It seems it must either
> > not add headers or break the entity-digest.
> 
> I agree it's a dilemma.  An option is to require that clients send
> Content-Length and (perhaps) not Date, and forbid proxies to add either
> within this context.

Alternatively, you exclude those headers from the digest?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Next message: Paul Leach: "RE: Proposal for new HTTP 1.1 authentication scheme"
Previous message: Dave Kristol: "Re: Proposal for new HTTP 1.1 authentication scheme"
Maybe in reply to: Eric_Houston/CAM/Lotus@lotus.com: "Proposal for new HTTP 1.1 authentication scheme"
Next in thread: Dave Kristol: "Re: Proposal for new HTTP 1.1 authentication scheme"