W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Digesting the digest...

From: Peter J Churchyard <pjc@trusted.com>
Date: Thu, 29 Feb 1996 09:24:42 -0500 (EST)
Message-Id: <9602291424.AA07173@hilo.trusted.com>
To: pjc <pjc@hilo.trusted.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
For a POST or PUT operation (or any where the client is sending more
than a request and the server is using Digest Auth then if the client
wants to indicate that it did send a digest-messagedigest header then
an extra flag in the digest could be used.

If the client doesn't really care, then it uses the existing digest domain.

So if a server gets a POST or PUT where the digest-messagedigest was stripped
and maybe the data modified, then the auth would not succeed. If a d-md
is present and is valid, then the digest can be checked assuming that the 
flag is present and is that fails the auth can be tested without the flag
which shows that the d-md was optional.

As for d-md on responses, there is no strong way to indicate that a m-dm
is required except by out of bounds means. This also means that clients
authenticating servers cannot use m-dm.


If xxx-authenticate was considered a peer-peer property so either the client
or server can use it then authentication of the server could be possible but
this may or may not fit into current schemes.

Pete.
-- 
The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Thursday, 29 February 1996 06:29:01 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:47 EDT