W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: Dave Kristol <dmk@bell-labs.com>
Date: Tue, 30 Dec 1997 13:56:54 -0500
Message-Id: <34A943F6.63DECDAD@bell-labs.com>
To: John Franks <john@math.nwu.edu>
Cc: Scott Lawrence <lawrence@agranat.com>, paulle@microsoft.com, ietf-http-wg@w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
John Franks wrote:
> [...]
>             transaction-info       =
>               H(
>                 Method ":"
>                 digest-uri-value ":"
>                 media-type ":"   ; Content-Type, see section 3.7 of [2]
>                 content-coding ":" ; Content-Encoding, see 3.5 of [2]
>                 dheader-content
>                 )
> 
>             dheader-content   = *DIGIT ":" ; HTTP response status code
>                                 *DIGIT ":"         ; entity-length, see ??
>                                 date ":"  ; contents of origin HTTP date header
>                                 last-modified ":" ; last modified date
>                                 expires   ; expiration date

It's time for me to be stupid again.

The dheader-content gets digested in transaction-info, and it gets sent
in the clear as part of Authentication-Info.  Is there any expectation
(or requirement) that a receiver will validate the individual pieces of
dheader-content?  If not, then the sender could put arbitrary garbage in
dheader-content, and as long as the same garbage appeared in both
places, the bits will come out right, but nothing useful will have been
accomplished.

Dave Kristol
Received on Monday, 5 January 1998 10:04:39 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT