Am Mittwoch den, 18. September 2002, um 04:10, schrieb Lisa Dusseault: > [...] > Can anybody come up with other clever ways for the client to try to > authenticate? E.g. is it possible for a client to send a reasonable > Digest authentication header with its first request (probably a > PROPFIND, but whatever method happens to be first), and if the > information therein (e.g. realm) is bad, the server responds with the > WWW-Authenticate header with the correct prompting? That doesn't quite > solve Ilya's performance problem, but perhaps the HTTP 1.1. Continue > mechanism would solve that specific issue. As someone on the list already pointed out, the client cannot guess a valid Digest Authentication header. It's one main strength of digest authentication that the client is not able to do this. Otherwise an attacker might be able to use a replay attack. I'm not sure however what a server will do upon seeing a nonsense Authenticate header from the client. Will it always send a challenge back? (Unfortunately we cannot make this a requirement in WebDAV since this belongs in another RFC). //StefanReceived on Wednesday, 18 September 2002 04:32:51 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 October 2007 17:53:18 GMT