4/13/98 http-authentication-01.txt comments

Dave Kristol (dmk@research.bell-labs.com)
Mon, 13 Apr 1998 16:07:13 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave Kristol: "Digest testing site available"
Previous message: Henrik Frystyk Nielsen: "Issue: warning header should be general header, not response"
Next in thread: John Franks: "HTTP-authentication-01.txt comments"
Reply: John Franks: "HTTP-authentication-01.txt comments"

(It's gotten so I have to date them! :-)


3.2.2 The Authorization Request Header

    response         = "response" "=" request-digest

Later there's this text:
    The definition of request-digest above indicates the encoding for
    its value. The following definitions show how the value is
    computed.

Unfortunately, there *is* no "definition ... above".  The non-terminal
request-digest has no syntactic definition.  I suspect it should be

	request-digest = <"> *LHEX <">


3.2.3 The Authentication-Info Header

cnonce and qop are used in the calculation of response-digest.  The
client is not required to send either cnonce= or auth=.  So I assume
(correct?) that the null string is used for values for omitted
attributes in the calculation.

If (to use cnonce as the example) cnonce was omitted, should
Authentication-Info omit cnonce, or should it send cnonce=""?  Same
question for auth.

Dave Kristol

Next message: Dave Kristol: "Digest testing site available"
Previous message: Henrik Frystyk Nielsen: "Issue: warning header should be general header, not response"
Next in thread: John Franks: "HTTP-authentication-01.txt comments"
Reply: John Franks: "HTTP-authentication-01.txt comments"