W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1996

Re: Authenticated Transactions: Why Wait Another Year?

From: Peter J Churchyard <pjc@trusted.com>
Date: Thu, 12 Sep 1996 14:55:19 -0400 (EDT)
Message-Id: <9609121855.AA26595@hilo.trusted.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
My only complaint with the optional entity-digest is that it is not bound
with the authentication. 

If a server uses digest to authenticate a user and returns a document with
an entity digest, the client needs to know that the digest was sent. Currently
a man in the middle can remove the digest and then modify the content. Part
of the 'challenge' should be a flag saying whether an entity digest is being 
supplied.

The binding needs to be done also when the client POSTs or PUTs. The 
authentication should include a flag saying that the client did supply an 
entity-digest so that if a man in the middle removes the entity-digest the 
authentication fails.

Peter.
-- 
The TIS Network Security Products Group has moved again!
voice: 301-527-9500x111  fax: 301-527-0482
Room 334, 15204 Omega Drive, Rockville, MD 20850
Received on Thursday, 12 September 1996 11:36:56 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:13 EDT