W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: more Digest auth questions/comments

From: Dave Kristol <dmk@bell-labs.com>
Date: Thu, 09 Apr 1998 16:19:41 -0400
Message-Id: <352D2D5D.20B3@bell-labs.com>
To: Scott Lawrence <lawrence@agranat.com>
Cc: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
Scott Lawrence wrote:
> 
> On Thu, 9 Apr 1998, Dave Kristol wrote:
> > [...]
> >     Now, for qop="auth-int", the client must include H(entity-body) in
> >     the calculation of A2.  But there is no entity-body.  Does the
> >     client use the null string when it calculates A2?
> 
>   It uses the hash of the null string, actually.

I think it would be wise to add an explicit statement to that effect to
the draft.

> 
> > 2) Same example.  Suppose the server decides, for whatever reason, that
> > it *can't* calculate the response-digest for AuthenticationInfo.  How
> > should the server respond?  Error code?  (Which one?)  AuthenticateInfo
> > header with no rspauth attribute?
> 
>   500 Internal Server Error
> 
>   It said that it supported auth-int and now it is backing out - this is
>   just a bug.

I don't entirely agree that it's a bug.  Suppose the client sends a
preemptive Authorization header with qop="auth-int" for a URL that
retrieves dynamic content, more particularly something like an NPH CGI
(a CGI that presumes to handle all output itself, including headers,
bypassing the server).  The server will never get the opportunity to
examine and calculate the digest for the returned content (because of
the NPH architecture).  But the server can probably assume the CGI will
not send an AuthenticateInfo header.  And, 500 sounds like the right
response here.

Dave Kristol
Received on Thursday, 9 April 1998 13:24:04 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT