RE: Final Review of Digest Authentication

The main thing I am concerned about is the lack of binding of the 
optional entity digest to the authentication.

When the digest is for a POST/PUT type operation, the entity-digest should
be added as an extra nonce for the response digest so if it is removed
by an intermediate proxy/gateway the auth will fail.

For GET type requests, On the Authenticate header the server needs to be able 
to signal that it is going to send an entity digest. This info should also
be treated as an extra nonce so that it cannot be removed without the 
authentication failing.

If you are not going to require the entity digest to be bound with the 
response digest then why bother? just use content-md5hash...

The TIS Network Security Products Group has moved!
voice: 301-527-9500 x123 fax: 301-527-0482
2277 Research Boulevard, 5th Floor, Rockville, MD 20850

Received on Tuesday, 11 June 1996 14:33:20 UTC