W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Digesting the digest...

From: Paul Leach <paulle@microsoft.com>
Date: Wed, 28 Feb 96 17:48:47 PST
To: http-wg-request%cuckoo.hpl.hp.com@hplb.hpl.hp.com, john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960229014240MTP[01.52.00]000000b1-121305
Peter said:
----------
] From: Peter J Churchyard  <pjc@trusted.com>
] To:  <"john@math.nwu.edu">;  <john@math.nwu.edu>
] Cc:  <"http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com">;
] <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
] Subject: Re: Digesting the digest...
] Date: Wednesday, February 28, 1996 2:10PM
]
] As I see it the optional message-digest and or digest-messagedigest is
] only advisory since it can be removed in transit and the receiver doesn't
] know it was there..

A client that cares about modification in transit can reject repsonses 
without it, when talking to a server that it knows supplies it. Or see below.

]
] We might want to put into the "digest hashed data" a flag that is set if
] you also sent a Digest-MessageDigest so that it's removal could be detected.

That's not what you need. The client needs to be able to ask the server 
to send Digest-MessageDigest. A new parameter in the Authorization 
field is what you want. If it got snipped out, then the client wouldn't 
get the D-MD it asked for.

If the client sent message= in the Authorization header, and the 
attacker removes it,
I don't have a good answer. The server could refuse to accept requests 
without message= in the Authorization if it cared enough.  A flag in 
the WWW-Authenticate header could signal the client that it needed to 
send <message-digest>.

So, how about the following parameter for both Authorization and
WWW-Authenticate headers:
	digest-required=<"message" | "header" | "response">
where "message" means the receiver must include
	message=<message-digest>
in the response, "header" means the receiver must include
	header=<header-digest>
in the response, and "response" means the receiver must include
	response=<response-digest>
in the response.
Received on Wednesday, 28 February 1996 18:18:22 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:47 EDT