- From: John Franks <john@math.nwu.edu>
- Date: Wed, 28 Feb 1996 08:00:21 -0600 (CST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Tue, 27 Feb 1996, Paul Leach wrote: > I made these before, but they may have been lost in the incrementing > discussion. > > 1. A definition of what is "message-body" in section 2.1 needs to be > given. Does it include entity-headers, general-headers, > response-headers (when sent by server) or request-headers (when sent by > client), as well as the entity-body? I have changed <message-body> to <entity-body> and added the two sentences: The <entity-body> is the "entity body" as prescribed in the Hypertext Transfer Protocol. It consists of the data transferred after the <CRLF><CRLF> signaling the end of the entity headers. > > 2. In the security considerations section, the rationale for including > client IP in the recommended nonce needs to be given, over just > checking the IP address of a later request containing a nonce against > the IP address to which the nonce was originally given. Is it to > reduce the amount of state that the server needs to hold? > It is done so the server can be stateless. As far as I know there are no stateful implementations of Digest Authentication. I have added the following sentence to section 3.2 Digesting the client IP and timestamp in the nonce permits an implementation which does not maintain state between transactions. On a related topic, I don't want to move the recommended nonce construction material to an appendix. This might make sense from an editorial point of view, but we were explicitly charged with expanding the nonce section and I want it to be very clear we have met this charge, not just tacked on an appendix. John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Wednesday, 28 February 1996 06:03:20 UTC