HTTP-authentication-01.txt comments

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Dave Kristol: "Re: HTTP-authentication-01.txt comments"
• Previous message: Dave Kristol: "Digest testing site available"
• In reply to: Dave Kristol: "4/13/98 http-authentication-01.txt comments"
• Next in thread: Dave Kristol: "Re: HTTP-authentication-01.txt comments"
• Maybe reply: Dave Kristol: "Re: HTTP-authentication-01.txt comments"
• Reply: Scott Lawrence: "Re: HTTP-authentication-01.txt comments"

On Mon, 13 Apr 1998, Dave Kristol wrote:

> 
> 3.2.3 The Authentication-Info Header
> 
> cnonce and qop are used in the calculation of response-digest.  The
> client is not required to send either cnonce= or auth=.  So I assume
> (correct?) that the null string is used for values for omitted
> attributes in the calculation.
> 
> If (to use cnonce as the example) cnonce was omitted, should
> Authentication-Info omit cnonce, or should it send cnonce=""?  Same
> question for auth.
> 

It might be better to say that Authentication-Info should only be
sent if qop (and hence cnonce) are present.


Another question: Unless I am mistaken, at one point in the long
sequence of digest drafts, the Authentication-Info header could be
supplied by either the server or the client.  It would be useful
for the client to be able to supply the digest of POSTed data
or a file which is PUT.  Being able to assure the integrity of
client supplied data would be very useful.  Did this fall through
the cracks, or am I just missing this functionality somewhere in
the draft?


John Franks
john@math.nwu.edu

• Next message: Dave Kristol: "Re: HTTP-authentication-01.txt comments"
• Previous message: Dave Kristol: "Digest testing site available"
• In reply to: Dave Kristol: "4/13/98 http-authentication-01.txt comments"
• Next in thread: Dave Kristol: "Re: HTTP-authentication-01.txt comments"
• Maybe reply: Dave Kristol: "Re: HTTP-authentication-01.txt comments"
• Reply: Scott Lawrence: "Re: HTTP-authentication-01.txt comments"