- From: Dave Kristol <dmk@bell-labs.com>
- Date: Thu, 09 Apr 1998 16:19:41 -0400
- To: Scott Lawrence <lawrence@agranat.com>
- Cc: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
Scott Lawrence wrote: > > On Thu, 9 Apr 1998, Dave Kristol wrote: > > [...] > > Now, for qop="auth-int", the client must include H(entity-body) in > > the calculation of A2. But there is no entity-body. Does the > > client use the null string when it calculates A2? > > It uses the hash of the null string, actually. I think it would be wise to add an explicit statement to that effect to the draft. > > > 2) Same example. Suppose the server decides, for whatever reason, that > > it *can't* calculate the response-digest for AuthenticationInfo. How > > should the server respond? Error code? (Which one?) AuthenticateInfo > > header with no rspauth attribute? > > 500 Internal Server Error > > It said that it supported auth-int and now it is backing out - this is > just a bug. I don't entirely agree that it's a bug. Suppose the client sends a preemptive Authorization header with qop="auth-int" for a URL that retrieves dynamic content, more particularly something like an NPH CGI (a CGI that presumes to handle all output itself, including headers, bypassing the server). The server will never get the opportunity to examine and calculate the digest for the returned content (because of the NPH architecture). But the server can probably assume the CGI will not send an AuthenticateInfo header. And, 500 sounds like the right response here. Dave Kristol
Received on Thursday, 9 April 1998 13:24:04 UTC