Re: Digest mess

Scott Lawrence (lawrence@agranat.com)
Wed, 07 Jan 1998 13:53:21 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Henrik Frystyk Nielsen: "Re: MUST use Content-Base"
Previous message: Scott Lawrence: "Re: MUST use Content-Base"
In reply to: Dave Kristol: "Re: Digest mess"

>>>>> "DK" == Dave Kristol <dmk@bell-labs.com> writes:

DK> The conflicting positions (should Digest have some kind of integrity
DK> check?) seem to stem from two different perspectives:

DK> 1) Servers want to identify users.  Neither the server nor the client is
DK> particularly concerned about the integrity of messages (typically GETs
DK> that return information to the client).

  I don't accept that at all.  If I'm a client requesting a form that
  I'm going to submit authenticated, I'd like to know that the form is
  what the server sent (not one with a new ACTION= attributed inserted
  to send it somewhere else), and that the result of submitting the
  form is equally authentic.  Both of these require server->client
  authentication and message integrity.

DK> Can the two functions be separated so (1) can progress with "old"
DK> Digest?

  I don't think so (but I bet no one is suprised at that).

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Next message: Henrik Frystyk Nielsen: "Re: MUST use Content-Base"
Previous message: Scott Lawrence: "Re: MUST use Content-Base"
In reply to: Dave Kristol: "Re: Digest mess"