Mark Nottingham wrote: > > RFC2617 allows a limited form of integrity protection on both requests > and responses; see sections 3.2.2 and 3.2.3, especially with regard to > the calculation of A2. While it's true that HTTP Digest authentication > doesn't provide for integrity protection on HTTP headers (it's very > messy), the Request-URI isn't a header, it's in the Request-Line. > > That said, I'm not aware of any implementations that support this. > Anybody else? > Apache has a mod_auth_digest (http://httpd.apache.org/docs-2.1/mod/mod_auth_digest.html) that implements HTTP digest auth, but this is an experimental module. > Also, SSL and TLS provide security for both HTTP headers and all of the > request line EXCEPT for the hostname and port. > > Cheers, > > > On Mar 4, 2005, at 7:46 AM, Rich Salz wrote: > >> >>> "underlying" protocol such as HTTP. Duplication has serious downsides, >>> but also some advantages, and may be a reasonable compromise in some >>> cases, perhaps this one. >> >> >> There is no way to get end-to-end security on HTTP headers. Put another >> way, while I can sign a wsa:To element, there is no way (at least not >> standard way; there might be a private shcme I don't know about) >> to sign the URL in the POST command. >> >> /r$ >> -- >> Rich Salz Chief Security Architect >> DataPower Technology http://www.datapower.com >> XS40 XML Security Gateway http://www.datapower.com/products/xs40.html >> >> >> > > -- > Mark Nottingham Principal Technologist > Office of the CTO BEA Systems > >Received on Monday, 7 March 2005 19:02:27 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:55:58 GMT