W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: original host name in request/header

From: <hallam@alws.cern.ch>
Date: Mon, 13 Feb 1995 22:24:25 +0100
Message-Id: <9502132124.AA01921@dxmint.cern.ch>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Hi folks,


	We seem to have a number of suggestions :-

1) A request line for the original URI
2) A request line with the intended host name

The point is that for the security digest function we have to have (1).
This is because the keyed digest is produced as a function of the URI
to prevent spoof of the URI. [the method is also included].

For the digest to work the original URI has to be reconstructed. This is
not necessarily possible if there is a proxy chain that is preforming 
multiple URI transformations.


So if (1) is going to be there in any case why not use it for this
as well?

Jeff and I are going to be very keen on having the Digest authentication
scheme in HTTP/1.1. The basic scheme is a dangerous security hole - Thank you
ITAR regulations! The Digest scheme has nothing like the flexibility of
Shen/S-HTTP but does allow the Basic scheme to be squished quickly. 


	Phill.
Received on Monday, 13 February 1995 13:28:49 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:14 EDT