- From: Joe Orton <joe@orton.demon.co.uk>
- Date: Mon, 19 Jul 1999 14:29:34 +0100 (BST)
- To: Scott Lawrence <lawrence@agranat.com>
- cc: http-wg@hplb.hpl.hp.com
> > In the calculation of the response-auth digest for the > > 'Authentication-Info' header, is the qop-value used the one which is > > sent by the client in the 'Authorization' header, or the one sent by > > the server in the Auth-Info header itself? > > The intent was that they should be the same. The server presents > alternatives it is willing to support in the WWW-Authenticate challenge, and > the client chooses one in its Authorization. The server should then use > that value in the response. If it is not willing to use 'auth', then it > should not present that alternative in the challenge. Ah, can auth-int be used for messages with no body (zero-length), e.g. GET requests? I presumed it couldn't, maybe this is the source of my confusion. > If you did switch between request and response, you would want the server to > use the value it is sending in calculating the digest - the point of > including it in the digest is that it be protected from modification. Okay, thanks. > As a practical matter, changing qop wouldn't work at all today, since the > only commercial browser that does digest at all doesn't support 'auth-int' > yet. (I'm writing client code). Regards, joe -- Joe Orton joe@orton.demon.co.uk ... jeo101@york.ac.uk http://www.orton.demon.co.uk/
Received on Monday, 19 July 1999 07:31:27 UTC