Re: HTTP-authentication-01.txt comments

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: John Franks: "Re: HTTP-authentication-01.txt comments"
• Previous message: Dave Kristol: "4/14/98 http-authentication-01 comments"
• In reply to: John Franks: "HTTP-authentication-01.txt comments"

> From: John Franks <john@math.nwu.edu>

> Another question: Unless I am mistaken, at one point in the long
> sequence of digest drafts, the Authentication-Info header could be
> supplied by either the server or the client.  It would be useful
> for the client to be able to supply the digest of POSTed data
> or a file which is PUT.  Being able to assure the integrity of
> client supplied data would be very useful.  Did this fall through
> the cracks, or am I just missing this functionality somewhere in
> the draft?

  It is in the Authorization header now.  In section 3.2.2, it says:


]    request-digest  = <"> < KD ( H(A1),     unq(nonce-value)
]                                        ":" nc-value
]                                        ":" unq(cnonce-value)
]                                        ":" unq(qop-value)
]                                        ":" H(A2)
]                                ) <">
   ...
] If the "qop" directive's value is "auth" or is unspecified, then A2 is:
]
]    A2       = Method ":" digest-uri-value
]
] If the "qop" value is "auth-int", then A2 is:
]
]    A2       = Method ":" digest-uri-value ":" H(entity-body)

  So A2 in the response digest (poor name, that, because it is the
  response to the challenge, but it appears in a request) contains the
  hash of the body.  That way we don't need another header.  I don't
  believe that we specified that this may appear in a trailer,
  though.

• Next message: John Franks: "Re: HTTP-authentication-01.txt comments"
• Previous message: Dave Kristol: "4/14/98 http-authentication-01 comments"
• In reply to: John Franks: "HTTP-authentication-01.txt comments"