- From: Paul Leach <paulle@microsoft.com>
- Date: Wed, 28 Feb 96 11:37:52 PST
- To: john@math.nwu.edu
- Cc: "hallam@w3.org"@microsoft.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
John said, in answer to me and Phil: ] > ] ] > ] 2) Is there an easy and backwards compatible mechanism whereby ] > ] a server could authenticate itself to a client? ] > ] > At first blush, the current protocol is mutually authenticating. If ] > the server computes message-digest, and returns it in ] > Digest-MessageDigest, and the client verifies it, then it has proven ] > that it knows the shared secret. ] ] Beyond this, I think the answer to your question is no. I don't think ] we should allow any form of "authentication" of the server which does ] not prevent tampering with the content of the served docuement. Good point. I agree. But then we should also prevent tampering with the rest of the response by including headers in some digest. And we need to be more precise about how the client checks what's in Digest-MessageDisgest. ] Also ] what I suspect you might really want is a way of authenticating the ] server *before* making a POST or PUT. A client will almost always do a GET first, and could do one artificially if one did not otherwise naturally occur.
Received on Wednesday, 28 February 1996 11:34:20 UTC