RE: rfc2617: response-auth calculation

Joe Orton (joe@orton.demon.co.uk)
Mon, 19 Jul 1999 14:29:34 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Scott Lawrence: "RE: rfc2617: response-auth calculation"
Previous message: Scott Lawrence: "RE: rfc2617: BNF for 'domain'"

> > In the calculation of the response-auth digest for the
> > 'Authentication-Info' header, is the qop-value used the one which is
> > sent by the client in the 'Authorization' header, or the one sent by
> > the server in the Auth-Info header itself?
> 
> The intent was that they should be the same.  The server presents
> alternatives it is willing to support in the WWW-Authenticate challenge, and
> the client chooses one in its Authorization.  The server should then use
> that value in the response.  If it is not willing to use 'auth', then it
> should not present that alternative in the challenge.

Ah, can auth-int be used for messages with no body (zero-length), e.g.
GET requests? I presumed it couldn't, maybe this is the source of my
confusion.

> If you did switch between request and response, you would want the server to
> use the value it is sending in calculating the digest - the point of
> including it in the digest is that it be protected from modification.

Okay, thanks.

> As a practical matter, changing qop wouldn't work at all today, since the
> only commercial browser that does digest at all doesn't support 'auth-int'
> yet.

(I'm writing client code).

Regards,

joe

-- 
Joe Orton
joe@orton.demon.co.uk ... jeo101@york.ac.uk
http://www.orton.demon.co.uk/

Next message: Scott Lawrence: "RE: rfc2617: response-auth calculation"
Previous message: Scott Lawrence: "RE: rfc2617: BNF for 'domain'"