Re: Authenticated Transactions: Why Wait Another Year?

My only complaint with the optional entity-digest is that it is not bound
with the authentication. 

If a server uses digest to authenticate a user and returns a document with
an entity digest, the client needs to know that the digest was sent. Currently
a man in the middle can remove the digest and then modify the content. Part
of the 'challenge' should be a flag saying whether an entity digest is being 
supplied.

The binding needs to be done also when the client POSTs or PUTs. The 
authentication should include a flag saying that the client did supply an 
entity-digest so that if a man in the middle removes the entity-digest the 
authentication fails.

Peter.
-- 
The TIS Network Security Products Group has moved again!
voice: 301-527-9500x111  fax: 301-527-0482
Room 334, 15204 Omega Drive, Rockville, MD 20850

Received on Thursday, 12 September 1996 11:36:56 UTC