W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2004

Digest authentication: using auth-int QOP with no entity body

From: Stewart Brodie <stewart.brodie@antlimited.com>
Date: Tue, 17 Aug 2004 15:52:42 +0100
To: ietf-http-wg@w3.org
Message-ID: <gemini.i2lint005rh4w0eh4.stewart.brodie@antlimited.com>


RFC2617 section 3.2.2.3 shows that A2 is constructed differently if the qop
was auth-int - it has an extra colon and hash of the entity body. The
example shown in section 3.5 features a server that offers both auth and
auth-int.  The sample client response has chosen to use auth - which it is
at liberty to do given the server's offer.

What is supposed to happen if there is no entity-body but the server only
offers to accept a qop of auth-int?  I am assuming that I should create a
hash of 0 bytes of data.

Initially, I had assumed that I should always choose the best option
available and considered the added integrity protection with auth-int to
make it "better" than plain auth if the chance to use it was presented.

Should I prefer auth when it is available and there is no entity-body, like
the example, or should I continue to generate the full auth-int request?


-- 
Stewart Brodie
Software Engineer
ANT Limited
Received on Tuesday, 17 August 2004 14:52:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:35 GMT