Re: Digest mess

Dave Kristol (dmk@bell-labs.com)
Tue, 30 Dec 1997 13:56:54 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John Franks: "Re: Digest mess"
Previous message: John Franks: "Re: Digest mess"
Maybe in reply to: Roy T. Fielding: "Digest mess"
Next in thread: Dave Kristol: "Re: Digest mess"

John Franks wrote:
> [...]
>             transaction-info       =
>               H(
>                 Method ":"
>                 digest-uri-value ":"
>                 media-type ":"   ; Content-Type, see section 3.7 of [2]
>                 content-coding ":" ; Content-Encoding, see 3.5 of [2]
>                 dheader-content
>                 )
> 
>             dheader-content   = *DIGIT ":" ; HTTP response status code
>                                 *DIGIT ":"         ; entity-length, see ??
>                                 date ":"  ; contents of origin HTTP date header
>                                 last-modified ":" ; last modified date
>                                 expires   ; expiration date

It's time for me to be stupid again.

The dheader-content gets digested in transaction-info, and it gets sent
in the clear as part of Authentication-Info.  Is there any expectation
(or requirement) that a receiver will validate the individual pieces of
dheader-content?  If not, then the sender could put arbitrary garbage in
dheader-content, and as long as the same garbage appeared in both
places, the bits will come out right, but nothing useful will have been
accomplished.

Dave Kristol

Next message: John Franks: "Re: Digest mess"
Previous message: John Franks: "Re: Digest mess"
Maybe in reply to: Roy T. Fielding: "Digest mess"
Next in thread: Dave Kristol: "Re: Digest mess"