W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

HTTP-authentication-01.txt comments

From: John Franks <john@math.nwu.edu>
Date: Tue, 14 Apr 1998 11:44:26 -0500 (CDT)
To: http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980414113831.15018A-100000@hopf.math.nwu.edu>
On Mon, 13 Apr 1998, Dave Kristol wrote:

> 
> 3.2.3 The Authentication-Info Header
> 
> cnonce and qop are used in the calculation of response-digest.  The
> client is not required to send either cnonce= or auth=.  So I assume
> (correct?) that the null string is used for values for omitted
> attributes in the calculation.
> 
> If (to use cnonce as the example) cnonce was omitted, should
> Authentication-Info omit cnonce, or should it send cnonce=""?  Same
> question for auth.
> 

It might be better to say that Authentication-Info should only be
sent if qop (and hence cnonce) are present.


Another question: Unless I am mistaken, at one point in the long
sequence of digest drafts, the Authentication-Info header could be
supplied by either the server or the client.  It would be useful
for the client to be able to supply the digest of POSTed data
or a file which is PUT.  Being able to assure the integrity of
client supplied data would be very useful.  Did this fall through
the cracks, or am I just missing this functionality somewhere in
the draft?


John Franks
john@math.nwu.edu
Received on Tuesday, 14 April 1998 09:47:47 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT