W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

RE: rfc2617: response-auth calculation

From: Joe Orton <joe@orton.demon.co.uk>
Date: Mon, 19 Jul 1999 14:29:34 +0100 (BST)
To: Scott Lawrence <lawrence@agranat.com>
cc: http-wg@hplb.hpl.hp.com
Message-ID: <Pine.LNX.4.10.9907191416510.1715-100000@ankh.orton.local>

> > In the calculation of the response-auth digest for the
> > 'Authentication-Info' header, is the qop-value used the one which is
> > sent by the client in the 'Authorization' header, or the one sent by
> > the server in the Auth-Info header itself?
> 
> The intent was that they should be the same.  The server presents
> alternatives it is willing to support in the WWW-Authenticate challenge, and
> the client chooses one in its Authorization.  The server should then use
> that value in the response.  If it is not willing to use 'auth', then it
> should not present that alternative in the challenge.

Ah, can auth-int be used for messages with no body (zero-length), e.g.
GET requests? I presumed it couldn't, maybe this is the source of my
confusion.

> If you did switch between request and response, you would want the server to
> use the value it is sending in calculating the digest - the point of
> including it in the digest is that it be protected from modification.

Okay, thanks.

> As a practical matter, changing qop wouldn't work at all today, since the
> only commercial browser that does digest at all doesn't support 'auth-int'
> yet.

(I'm writing client code).

Regards,

joe

-- 
Joe Orton
joe@orton.demon.co.uk ... jeo101@york.ac.uk
http://www.orton.demon.co.uk/
Received on Monday, 19 July 1999 15:28:34 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:32 EDT