W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 1997

Re: Digest mess

From: Dave Kristol <dmk@bell-labs.com>
Date: Tue, 30 Dec 1997 13:56:54 -0500
Message-Id: <34A943F6.63DECDAD@bell-labs.com>
To: John Franks <john@math.nwu.edu>
Cc: Scott Lawrence <lawrence@agranat.com>, paulle@microsoft.com, ietf-http-wg@w3.org, http-wg@cuckoo.hpl.hp.com
John Franks wrote:
> [...]
>             transaction-info       =
>               H(
>                 Method ":"
>                 digest-uri-value ":"
>                 media-type ":"   ; Content-Type, see section 3.7 of [2]
>                 content-coding ":" ; Content-Encoding, see 3.5 of [2]
>                 dheader-content
>                 )
> 
>             dheader-content   = *DIGIT ":" ; HTTP response status code
>                                 *DIGIT ":"         ; entity-length, see ??
>                                 date ":"  ; contents of origin HTTP date header
>                                 last-modified ":" ; last modified date
>                                 expires   ; expiration date

It's time for me to be stupid again.

The dheader-content gets digested in transaction-info, and it gets sent
in the clear as part of Authentication-Info.  Is there any expectation
(or requirement) that a receiver will validate the individual pieces of
dheader-content?  If not, then the sender could put arbitrary garbage in
dheader-content, and as long as the same garbage appeared in both
places, the bits will come out right, but nothing useful will have been
accomplished.

Dave Kristol
Received on Tuesday, 30 December 1997 13:58:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:16 GMT