W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Digest Auth: mutual? (was Digest Auth (I think we have a deal!))

From: John Franks <john@math.nwu.edu>
Date: Wed, 28 Feb 1996 08:12:48 -0600 (CST)
To: Paul Leach <paulle@microsoft.com>
Cc: hallam@w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960228080555.25213A-100000@hopf.math.nwu.edu>
On Tue, 27 Feb 1996, Paul Leach wrote:
> Phil said, Tuesday, February 27, 1996 4:05PM:
> ----------
> ]
> ] 2) Is there an easy and backwards compatible mechanism whereby
> ] a server could authenticate itself to a client?
> 
> At first blush, the current protocol is mutually authenticating.  If 
> the server computes message-digest, and returns it in 
> Digest-MessageDigest, and the client verifies it, then it has proven 
> that it knows the shared secret.  

Beyond this, I think the answer to your question is no.  I don't think
we should allow any form of "authentication" of the server which does
not prevent tampering with the content of the served docuement.   Also
what I suspect you might really want is a way of authenticating the
server *before* making a POST or PUT.  These and other enhancements
will have to wait.

As pointed out by Larry Masinter our current charge is to respond to
specific objections to version 02 of the spec.  Even very good 
suggestions for enhancements will have to wait.


John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu
Received on Wednesday, 28 February 1996 06:14:30 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:47 EDT