- From: Paul Leach <paulle@microsoft.com>
- Date: Tue, 9 Dec 1997 13:50:40 -0800
- To: John Franks <john@math.nwu.edu>, 'Dave Kristol' <dmk@bell-labs.com>
- Cc: Jim Gettys <jg@pa.dec.com>, Eric_Houston/CAM/Lotus@lotus.com, Scott Lawrence <lawrence@agranat.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> ---------- > From: Dave Kristol[SMTP:dmk@bell-labs.com] > Sent: Tuesday, December 09, 1997 11:56 AM > To: John Franks > Cc: Jim Gettys; Paul Leach; Eric_Houston/CAM/Lotus@lotus.com; Scott > Lawrence; http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com > Subject: Re: Proposal for new HTTP 1.1 authentication scheme > > John Franks wrote: > > [...] > > Most of the suggestions by Paul and Dave seem to be clarifications > > of the original intent. They should not cause problems. > > [...] > > I still feel my one objection about proxy-added headers is substantive > and unresolved. Briefly, an origin server might omit headers that get > figured into the entity-digest calculation. A proxy might subsequently > add those headers. The client sees a message *with* the headers, > calculates an entity-digest that figures them in, and gets a different > answer from what the origin server calculated. > I agree that this hasn't been addressed. I don't think it'll be a problem in practice -- implementors would quickly discover that Message Digest didn't work if the origin server omits any headers and proxies add them. It would be (at least) nice to be clear about this, though. There are two ways to fix the problem -- 1. Say that origin servers can't omit the headers 2. Say that proxies can't add them when using Message Disgest. I don't know which is best. For Date, at least, it seems silly to omit it. Paul
Received on Tuesday, 9 December 1997 13:35:20 UTC