W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Proposal for new HTTP 1.1 authentication scheme

From: Dave Kristol <dmk@bell-labs.com>
Date: Tue, 09 Dec 1997 16:32:34 -0500
Message-Id: <348DB8F2.E2FECEF5@bell-labs.com>
To: John Franks <john@math.nwu.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
John Franks wrote:
> 
> On Tue, 9 Dec 1997, Dave Kristol wrote:
> 
> > I still feel my one objection about proxy-added headers is substantive
> > and unresolved.  Briefly, an origin server might omit headers that get
> > figured into the entity-digest calculation.  A proxy might subsequently
> > add those headers.  The client sees a message *with* the headers,
> > calculates an entity-digest that figures them in, and gets a different
> > answer from what the origin server calculated.
> [...]
> I agree that there is an issue here.  The current spec says the
> proxy MUST not add these headers.  If I recall you suggested the
> MUST be changed to SHOULD.  I am not sure how this helps beyond
> making the proxy technically "legal."  It doesn't materially affect
> the problem.

Ummm...  I think my "MUST -> SHOULD" had to do with a proxy's changing
the content of headers.  I think I see the words to which you're
referring (end of p.13), and they mention Content-Length explicitly but
don't mention Date.  And there's a potential problem with
Content-Length:  suppose a proxy eats chunked data and wants to create a
complete entity *with* Content-Length.  Is it hereby forced to forward
the entity as "chunked" because it's forbidden to add Content-Length?
> 
> What should a proxy do in this situation?  It seems it must either
> not add headers or break the entity-digest.

I agree it's a dilemma.  An option is to require that clients send
Content-Length and (perhaps) not Date, and forbid proxies to add either
within this context.

Dave Kristol
Received on Tuesday, 9 December 1997 13:19:47 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:04 EDT