W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

rfc2617: response-auth calculation

From: Joe Orton <joe@orton.demon.co.uk>
Date: Sat, 17 Jul 1999 12:59:53 +0100 (BST)
To: http-wg@hplb.hpl.hp.com
Message-ID: <Pine.LNX.4.10.9907171240300.1041-100000@ankh.orton.local>

Just after a clarification:

In the calculation of the response-auth digest for the
'Authentication-Info' header, is the qop-value used the one which is
sent by the client in the 'Authorization' header, or the one sent by
the server in the Auth-Info header itself?

Example: the client sends, e.g. a GET request, with no entity-body, so
uses "qop=auth" in the 'Authorization' header. The server response then
has an entity-body, and uses "qop=auth-int" in the 'Authentication-Info'
header.

The sentence
 
                              The "response-digest" value is calculated
   as for the "request-digest" in the Authorization header, except that
   if "qop=auth" or is not specified in the Authorization header for the
   request, A2 is
       ...

implies that the qop-value the client sent is used, but the paragraph

   message-qop
     Indicates the "quality of protection" options applied to the
     response by the server.  The value "auth" indicates authentication;
     the value "auth-int" indicates authentication with integrity
     protection. The server SHOULD use the same value for the message-
     qop directive in the response as was sent by the client in the
     corresponding request.

seems to implies that the qop-value the server sends is used.

Regards,

joe

-- 
Joe Orton
joe@orton.demon.co.uk ... jeo101@york.ac.uk
http://www.orton.demon.co.uk/
Received on Saturday, 17 July 1999 13:47:33 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT