W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: Digest mess

From: Scott Lawrence <lawrence@agranat.com>
Date: Wed, 07 Jan 1998 13:53:21 -0500
Message-Id: <199801071853.NAA16548@devnix.agranat.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>>>>> "DK" == Dave Kristol <dmk@bell-labs.com> writes:

DK> The conflicting positions (should Digest have some kind of integrity
DK> check?) seem to stem from two different perspectives:

DK> 1) Servers want to identify users.  Neither the server nor the client is
DK> particularly concerned about the integrity of messages (typically GETs
DK> that return information to the client).

  I don't accept that at all.  If I'm a client requesting a form that
  I'm going to submit authenticated, I'd like to know that the form is
  what the server sent (not one with a new ACTION= attributed inserted
  to send it somewhere else), and that the result of submitting the
  form is equally authentic.  Both of these require server->client
  authentication and message integrity.

DK> Can the two functions be separated so (1) can progress with "old"
DK> Digest?

  I don't think so (but I bet no one is suprised at that).

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Wednesday, 7 January 1998 11:22:08 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:09 EDT