W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2006

Digest Authentication (Broken in many Browsers)

From: John C. Mallery <jcma@csail.mit.edu>
Date: Wed, 12 Jul 2006 14:47:59 +0000
Message-Id: <729B00B5-00CF-4731-A5C2-4E3C1D58022A@csail.mit.edu>
To: ietf-http-wg@w3.org




Few browsers seem to have implemented HTTP 1.1 Digest Authentication  
correctly, at least on the Mac.

Digest authentication of proxy requests seems to be a major problem  
area.

Firefox 2.0b1 seems to be the best implementation on the mac.

1. I note, however, that it computes the digest based on the relative  
URI of the absolute URI requested of the proxy.

RFC 2617 says that the uri should be digest-uri-value = request- 
uri   ; As specified by HTTP/1.1

RFC 2616 says that that the Request-URI    = "*" | absoluteURI |  
abs_path | authority

Further, RFC 2617 says: "The authenticating server must assure that  
the resource designated by the "uri" directive is the same as the  
resource specified in the Request-Line; if they are not, the server  
SHOULD return a 400 Bad Request error."

On my reading of the specs, this is a bug.

What do people think?

Should the specification be clarified in this regard?

What should be done about backward compatibility for buggy clients?

2. If the absoluteURI is used, there is an issue of cannonicalizing  
the case of the scheme, host, and any escape codes.

These are not treated by RFC 2617.

Comments?
Received on Wednesday, 12 July 2006 15:19:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:46 GMT