Re: HTTP-authentication-01.txt comments

Dave Kristol (dmk@bell-labs.com)
Tue, 14 Apr 1998 14:58:09 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave Kristol: "4/14/98 http-authentication-01 comments"
Previous message: John Franks: "HTTP-authentication-01.txt comments"
Maybe in reply to: John Franks: "HTTP-authentication-01.txt comments"
Next in thread: John Franks: "Re: HTTP-authentication-01.txt comments"
Reply: John Franks: "Re: HTTP-authentication-01.txt comments"

John Franks wrote:
> 
> On Mon, 13 Apr 1998, Dave Kristol wrote:
> 
> >
> > 3.2.3 The Authentication-Info Header
> >
> > cnonce and qop are used in the calculation of response-digest.  The
> > client is not required to send either cnonce= or auth=.  So I assume
> > (correct?) that the null string is used for values for omitted
> > attributes in the calculation.
> >
> > If (to use cnonce as the example) cnonce was omitted, should
> > Authentication-Info omit cnonce, or should it send cnonce=""?  Same
> > question for auth.
> >
> 
> It might be better to say that Authentication-Info should only be
> sent if qop (and hence cnonce) are present.

But cnonce is not required, even when qop is specified.  Only
nonce-count is required.

> 
> Another question: Unless I am mistaken, at one point in the long
> sequence of digest drafts, the Authentication-Info header could be
> supplied by either the server or the client.  It would be useful
> for the client to be able to supply the digest of POSTed data
> or a file which is PUT.  Being able to assure the integrity of
> client supplied data would be very useful.  Did this fall through
> the cracks, or am I just missing this functionality somewhere in
> the draft?

Hmmm.  There does not seem to be a way for the client to send a digest
of the entity-body.  If it could, though, there's an ambiguity about
qop=auth-int:

1) C<-S
	HTTP/1.1 401 Unauthorized
	WWW-Authenticate: ... qop="auth,auth-int", ...

2) C->S (speculative)
	POST /some/entity HTTP/1.1
	Host: blah
	Authorization: ... qop=auth-int, ...
	Authentication-Info:  reqauth=<some suitable digest>, ...

3) C<-S (problematic)
	HTTP/1.1 200 OK
	Authentication-Info:  qop=auth-int, rspauth=<entity digest>

The problem is that the client chose (this is speculative -- the spec.
doesn't read this way) "auth-int", in order to send an entity digest.
But the server is obliged to respond in kind, which means it must do a
digest of what is probably not a very interesting response.

Dave Kristol

Next message: Dave Kristol: "4/14/98 http-authentication-01 comments"
Previous message: John Franks: "HTTP-authentication-01.txt comments"
Maybe in reply to: John Franks: "HTTP-authentication-01.txt comments"
Next in thread: John Franks: "Re: HTTP-authentication-01.txt comments"
Reply: John Franks: "Re: HTTP-authentication-01.txt comments"