Re: Digest Auth: mutual? (was Digest Auth (I think we have a deal!))

John said, in answer to me and Phil:

] > ]
] > ] 2) Is there an easy and backwards compatible mechanism whereby
] > ] a server could authenticate itself to a client?
] >
] > At first blush, the current protocol is mutually authenticating.  If
] > the server computes message-digest, and returns it in
] > Digest-MessageDigest, and the client verifies it, then it has proven
] > that it knows the shared secret.
]
] Beyond this, I think the answer to your question is no.  I don't think
] we should allow any form of "authentication" of the server which does
] not prevent tampering with the content of the served docuement.

Good point.  I agree. But then we should also prevent tampering with 
the rest of the
response  by including headers in some digest. And we need to be more 
precise about how the client checks what's in Digest-MessageDisgest.

]  Also
] what I suspect you might really want is a way of authenticating the
] server *before* making a POST or PUT.

A client will almost always do a GET first, and could do one 
artificially if one did not otherwise naturally occur.

Received on Wednesday, 28 February 1996 11:34:20 UTC