Re: Proposal for new HTTP 1.1 authentication scheme from Ben Laurie on 1997-12-09 (ietf-http-wg@w3.org from October to December 1997)

From: Ben Laurie <ben@algroup.co.uk>
Date: Tue, 09 Dec 1997 21:39:39 +0000
To: Dave Kristol <dmk@bell-labs.com>
Cc: John Franks <john@math.nwu.edu>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <348DBA9B.C995CE9@algroup.co.uk>

Dave Kristol wrote:
> 
> John Franks wrote:
> >
> > On Tue, 9 Dec 1997, Dave Kristol wrote:
> >
> > > I still feel my one objection about proxy-added headers is substantive
> > > and unresolved.  Briefly, an origin server might omit headers that get
> > > figured into the entity-digest calculation.  A proxy might subsequently
> > > add those headers.  The client sees a message *with* the headers,
> > > calculates an entity-digest that figures them in, and gets a different
> > > answer from what the origin server calculated.
> > [...]
> > I agree that there is an issue here.  The current spec says the
> > proxy MUST not add these headers.  If I recall you suggested the
> > MUST be changed to SHOULD.  I am not sure how this helps beyond
> > making the proxy technically "legal."  It doesn't materially affect
> > the problem.
> 
> Ummm...  I think my "MUST -> SHOULD" had to do with a proxy's changing
> the content of headers.  I think I see the words to which you're
> referring (end of p.13), and they mention Content-Length explicitly but
> don't mention Date.  And there's a potential problem with
> Content-Length:  suppose a proxy eats chunked data and wants to create a
> complete entity *with* Content-Length.  Is it hereby forced to forward
> the entity as "chunked" because it's forbidden to add Content-Length?
> >
> > What should a proxy do in this situation?  It seems it must either
> > not add headers or break the entity-digest.
> 
> I agree it's a dilemma.  An option is to require that clients send
> Content-Length and (perhaps) not Date, and forbid proxies to add either
> within this context.

Alternatively, you exclude those headers from the digest?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Received on Tuesday, 9 December 1997 13:23:12 UTC