W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2006

Re: Digest Authentication (Broken in many Browsers)

From: Scott Lawrence <scott@skrb.org>
Date: Wed, 12 Jul 2006 14:11:36 -0400
To: "John C. Mallery" <jcma@csail.mit.edu>
Cc: ietf-http-wg@w3.org
Message-Id: <1152727896.2954.13.camel@localhost.localdomain>

On Wed, 2006-07-12 at 14:47 +0000, John C. Mallery wrote:
> 
> 
> 
> Few browsers seem to have implemented HTTP 1.1 Digest Authentication  
> correctly, at least on the Mac.
> 
> Digest authentication of proxy requests seems to be a major problem  
> area.
> 
> Firefox 2.0b1 seems to be the best implementation on the mac.
> 
> 1. I note, however, that it computes the digest based on the relative  
> URI of the absolute URI requested of the proxy.
> 
> RFC 2617 says that the uri should be digest-uri-value = request- 
> uri   ; As specified by HTTP/1.1
> 
> RFC 2616 says that that the Request-URI    = "*" | absoluteURI |  
> abs_path | authority
> 
> Further, RFC 2617 says: "The authenticating server must assure that  
> the resource designated by the "uri" directive is the same as the  
> resource specified in the Request-Line; if they are not, the server  
> SHOULD return a 400 Bad Request error."
> 
> On my reading of the specs, this is a bug.

I'm not sure what 'this' you are referring to...

> What do people think?
> 
> Should the specification be clarified in this regard?
> 
> What should be done about backward compatibility for buggy clients?

besides fixing the buggy clients?

> 2. If the absoluteURI is used, there is an issue of cannonicalizing  
> the case of the scheme, host, and any escape codes.
> 
> These are not treated by RFC 2617.
> 
> Comments?
> 
> 
-- 
Scott Lawrence
http://skrb.org/scott/
Received on Wednesday, 12 July 2006 18:12:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:46 GMT