- From: <hallam@alws.cern.ch>
- Date: Mon, 13 Feb 1995 22:24:25 +0100
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Hi folks, We seem to have a number of suggestions :- 1) A request line for the original URI 2) A request line with the intended host name The point is that for the security digest function we have to have (1). This is because the keyed digest is produced as a function of the URI to prevent spoof of the URI. [the method is also included]. For the digest to work the original URI has to be reconstructed. This is not necessarily possible if there is a proxy chain that is preforming multiple URI transformations. So if (1) is going to be there in any case why not use it for this as well? Jeff and I are going to be very keen on having the Digest authentication scheme in HTTP/1.1. The basic scheme is a dangerous security hole - Thank you ITAR regulations! The Digest scheme has nothing like the flexibility of Shen/S-HTTP but does allow the Basic scheme to be squished quickly. Phill.
Received on Monday, 13 February 1995 13:28:49 UTC