W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: original host name in request/header

From: <hallam@alws.cern.ch>
Date: Mon, 13 Feb 1995 22:24:25 +0100
Message-Id: <9502132124.AA01921@dxmint.cern.ch>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Hi folks,

	We seem to have a number of suggestions :-

1) A request line for the original URI
2) A request line with the intended host name

The point is that for the security digest function we have to have (1).
This is because the keyed digest is produced as a function of the URI
to prevent spoof of the URI. [the method is also included].

For the digest to work the original URI has to be reconstructed. This is
not necessarily possible if there is a proxy chain that is preforming 
multiple URI transformations.

So if (1) is going to be there in any case why not use it for this
as well?

Jeff and I are going to be very keen on having the Digest authentication
scheme in HTTP/1.1. The basic scheme is a dangerous security hole - Thank you
ITAR regulations! The Digest scheme has nothing like the flexibility of
Shen/S-HTTP but does allow the Basic scheme to be squished quickly. 

Received on Monday, 13 February 1995 13:28:49 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:13 UTC