W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

4/13/98 http-authentication-01.txt comments

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Mon, 13 Apr 1998 16:07:13 -0400 (EDT)
Message-Id: <199804132007.QAA18314@aleatory.research.bell-labs.com>
To: http-wg@cuckoo.hpl.hp.com
(It's gotten so I have to date them! :-)


3.2.2 The Authorization Request Header

    response         = "response" "=" request-digest

Later there's this text:
    The definition of request-digest above indicates the encoding for
    its value. The following definitions show how the value is
    computed.

Unfortunately, there *is* no "definition ... above".  The non-terminal
request-digest has no syntactic definition.  I suspect it should be

	request-digest = <"> *LHEX <">


3.2.3 The Authentication-Info Header

cnonce and qop are used in the calculation of response-digest.  The
client is not required to send either cnonce= or auth=.  So I assume
(correct?) that the null string is used for values for omitted
attributes in the calculation.

If (to use cnonce as the example) cnonce was omitted, should
Authentication-Info omit cnonce, or should it send cnonce=""?  Same
question for auth.

Dave Kristol
Received on Monday, 13 April 1998 13:11:37 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT