W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Re: Authentication issue CNONCE: Proposed resolution

From: Scott Lawrence <lawrence@agranat.com>
Date: Tue, 28 Jul 1998 18:12:53 +0000
Message-Id: <35BE14A5.686D0BB6@agranat.com>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
Larry Masinter wrote:

> In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html
> Dave Kristol wrote:
> 
> # 3.2.3 The Authentication-Info Header
> # cnonce and qop are used in the calculation of response-digest.  The
> # client is not required to send either cnonce= or auth=.  So I assume
> # (correct?) that the null string is used for values for omitted
> # attributes in the calculation.
> 
> I suggest that this be the correct interpretation, that the null
> string is used for values for omitted attributes in the calculation.
> 
> # If (to use cnonce as the example) cnonce was omitted, should
> # Authentication-Info omit cnonce, or should it send cnonce=""?  Same
> # question for auth.
> 
> I propose that either MAY be allowed, since they are equivalent.

I think that this is an acceptable resolution, but that the Security
Considerations section will need a short paragraph on the implications of
leaving this out - the server is then not authenticated to the user agent.

-- 
Scott Lawrence            Consulting Engineer        <lawrence@agranat.com>
Agranat Systems, Inc.   Embedded Web Technology     http://www.agranat.com/
Received on Tuesday, 28 July 1998 11:27:09 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT