Larry Masinter wrote: > In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html > Dave Kristol wrote: > > # 3.2.3 The Authentication-Info Header > # cnonce and qop are used in the calculation of response-digest. The > # client is not required to send either cnonce= or auth=. So I assume > # (correct?) that the null string is used for values for omitted > # attributes in the calculation. > > I suggest that this be the correct interpretation, that the null > string is used for values for omitted attributes in the calculation. > > # If (to use cnonce as the example) cnonce was omitted, should > # Authentication-Info omit cnonce, or should it send cnonce=""? Same > # question for auth. > > I propose that either MAY be allowed, since they are equivalent. I think that this is an acceptable resolution, but that the Security Considerations section will need a short paragraph on the implications of leaving this out - the server is then not authenticated to the user agent. -- Scott Lawrence Consulting Engineer <lawrence@agranat.com> Agranat Systems, Inc. Embedded Web Technology http://www.agranat.com/Received on Tuesday, 28 July 1998 11:27:09 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT