W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 1997

Re: Digest mess

From: Scott Lawrence <lawrence@agranat.com>
Date: Mon, 22 Dec 1997 16:22:48 -0500
Message-Id: <199712222122.QAA23873@devnix.agranat.com>
To: John Franks <john@math.nwu.edu>
cc: paulle@microsoft.com, ietf-http-wg@w3.org, http-wg@cuckoo.hpl.hp.com

>>>>> "JF" == John Franks <john@math.nwu.edu> writes:

JF> One other question.  Dave Kristol asked me what keeps a man in
JF> the middle from stripping the digest from the response.  I said
JF> the digest-required field.   But I'm not sure I'm right.  It looks
JF> like only the server can use digest-required now.  Do we want to
JF> let the client require a digest also?  If so how?

  There appears to have been an omission in the syntax for the
  Authorization header - it was in my original draft for
  digest-required.  The text is correct in
  draft-ietf-http-authentication-00:

    3.2.2 The Authorization Request Header

    ...

       If the value of the digest-required parameter is "true", the
       response to this request MUST either include the "digest" field
       in its Authentication-Info header or the response should be an
       error message indicating the server is unable or unwilling to

  but the digest-required syntax got left out of the syntax for the
  header field.  The Digest-response production should be

     Digest-response   = 1#( username | realm | nonce | digest-uri
                             | response | [ digest ] | [ algorithm ]
                             | digest-required | opaque )

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/
Received on Monday, 22 December 1997 16:24:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:16 GMT