- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Tue, 12 Jun 2007 00:53:36 +0200
- To: lists@ingostruck.de
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Received on Monday, 11 June 2007 22:53:57 UTC
mån 2007-06-11 klockan 23:15 +0000 skrev lists@ingostruck.de: > I would say that this means that for "no value" both > http://foo.com and https://foo.com are the same protection space, > because they inevitably refer to the same server (apart from technical > fancy foods like transparent nat a/o transparent proxying). > However, most UAs consider http://foo.com and https://foo.com to be > different servers. Most people define server to be port specific. http and https uses different ports. > - move MD5-sess to a separate rfc or drop it (nobody got it right > and the same could be achieved with MD5) Several got it right. But nearly nobody uses it for various reasons, where the main one being that very few have authentication backends capable of providing MD5-sess keying material. How do you do MD5-sess with MD5 for the target of MD5-sess? The target of MD5-sess is to allow Digest to operate without requiring the Digest server to have access to the static H(A1) (somewhat security sensitive). Regards Henrik
Received on Monday, 11 June 2007 22:53:57 UTC