How about -- if auth= or auth-int= are specified, cnonce= is required and MUST be a value never used before by the client? > -----Original Message----- > From: Scott Lawrence [mailto:lawrence@agranat.com] > Sent: Tuesday, July 28, 1998 11:13 AM > To: Larry Masinter > Cc: HTTP Working Group > Subject: Re: Authentication issue CNONCE: Proposed resolution > > > Larry Masinter wrote: > > > In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html > > Dave Kristol wrote: > > > > # 3.2.3 The Authentication-Info Header > > # cnonce and qop are used in the calculation of > response-digest. The > > # client is not required to send either cnonce= or auth=. > So I assume > > # (correct?) that the null string is used for values for omitted > > # attributes in the calculation. > > > > I suggest that this be the correct interpretation, that the null > > string is used for values for omitted attributes in the calculation. > > > > # If (to use cnonce as the example) cnonce was omitted, should > > # Authentication-Info omit cnonce, or should it send > cnonce=""? Same > > # question for auth. > > > > I propose that either MAY be allowed, since they are equivalent. > > I think that this is an acceptable resolution, but that the Security > Considerations section will need a short paragraph on the > implications of > leaving this out - the server is then not authenticated to > the user agent. > > -- > Scott Lawrence Consulting Engineer > <lawrence@agranat.com> > Agranat Systems, Inc. Embedded Web Technology > http://www.agranat.com/ >Received on Thursday, 6 August 1998 22:38:23 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT