- From: Peter J Churchyard <pjc@trusted.com>
- Date: Tue, 11 Jun 1996 17:31:55 -0400 (EDT)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
The main thing I am concerned about is the lack of binding of the optional entity digest to the authentication. When the digest is for a POST/PUT type operation, the entity-digest should be added as an extra nonce for the response digest so if it is removed by an intermediate proxy/gateway the auth will fail. For GET type requests, On the Authenticate header the server needs to be able to signal that it is going to send an entity digest. This info should also be treated as an extra nonce so that it cannot be removed without the authentication failing. If you are not going to require the entity digest to be bound with the response digest then why bother? just use content-md5hash... Pete. -- The TIS Network Security Products Group has moved! voice: 301-527-9500 x123 fax: 301-527-0482 2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Tuesday, 11 June 1996 14:33:20 UTC