- From: John Franks <john@math.nwu.edu>
- Date: Wed, 28 Feb 1996 08:12:48 -0600 (CST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: hallam@w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Tue, 27 Feb 1996, Paul Leach wrote: > Phil said, Tuesday, February 27, 1996 4:05PM: > ---------- > ] > ] 2) Is there an easy and backwards compatible mechanism whereby > ] a server could authenticate itself to a client? > > At first blush, the current protocol is mutually authenticating. If > the server computes message-digest, and returns it in > Digest-MessageDigest, and the client verifies it, then it has proven > that it knows the shared secret. Beyond this, I think the answer to your question is no. I don't think we should allow any form of "authentication" of the server which does not prevent tampering with the content of the served docuement. Also what I suspect you might really want is a way of authenticating the server *before* making a POST or PUT. These and other enhancements will have to wait. As pointed out by Larry Masinter our current charge is to respond to specific objections to version 02 of the spec. Even very good suggestions for enhancements will have to wait. John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Wednesday, 28 February 1996 06:14:30 UTC