W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: more minor Digest Auth editorial comments

From: John Franks <john@math.nwu.edu>
Date: Wed, 28 Feb 1996 14:47:17 -0600 (CST)
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SUN.3.91.960228144218.26237C-100000@hopf.math.nwu.edu>
On Wed, 28 Feb 1996, Paul Leach wrote:

> 
> I think there's a good argument that the <message-digest> should 
> include at least the
> entity-headers and Date: as well as the <entity-body>, and maybe the 
> other headers,
> too. This would prevent mucking with the Last-Modified, or 
> Content-Type, etc, and
> Date: would prevent substituting an old reply for a new one. (This was 
> another of
> Allan's points, BTW, that seems to have been left off of Larry's list. 
> Sorry for not
> mentioning it earlier, but I coudn't tell until getting the 
> <message-body> thing clarified.
> Actually it was two of his points  -- that the total request wan't 
> authenticated, and that there was no freshness information.)
> 
> If this is a backwards compatibility problem, then a new optional parameter
> "header=" could be used. This approach could also permit the separation of the
> entity-headers from the rest of the headers -- a cache would need to cough up
> entity-related digest that it got from the origin server, but construct 
> a digest of the other
> headers using its own secret that it shares with the client.
> 

I think this sounds good.  It should refer to objects defined in the
HTTP1.1 spec as Larry recommended.

> If this isn't too out of line, I'll write up specific proposed text.
> 

Great.  But try to do it quickly.  I would like to get version 03 of this
document submitted.  Also could you send me your address?

John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu
Received on Wednesday, 28 February 1996 12:50:33 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:47 EDT