My only complaint with the optional entity-digest is that it is not bound with the authentication. If a server uses digest to authenticate a user and returns a document with an entity digest, the client needs to know that the digest was sent. Currently a man in the middle can remove the digest and then modify the content. Part of the 'challenge' should be a flag saying whether an entity digest is being supplied. The binding needs to be done also when the client POSTs or PUTs. The authentication should include a flag saying that the client did supply an entity-digest so that if a man in the middle removes the entity-digest the authentication fails. Peter. -- The TIS Network Security Products Group has moved again! voice: 301-527-9500x111 fax: 301-527-0482 Room 334, 15204 Omega Drive, Rockville, MD 20850Received on Thursday, 12 September 1996 11:36:56 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:13 EDT