- From: John Franks <john@math.nwu.edu>
- Date: Wed, 28 Feb 1996 14:47:17 -0600 (CST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Wed, 28 Feb 1996, Paul Leach wrote: > > I think there's a good argument that the <message-digest> should > include at least the > entity-headers and Date: as well as the <entity-body>, and maybe the > other headers, > too. This would prevent mucking with the Last-Modified, or > Content-Type, etc, and > Date: would prevent substituting an old reply for a new one. (This was > another of > Allan's points, BTW, that seems to have been left off of Larry's list. > Sorry for not > mentioning it earlier, but I coudn't tell until getting the > <message-body> thing clarified. > Actually it was two of his points -- that the total request wan't > authenticated, and that there was no freshness information.) > > If this is a backwards compatibility problem, then a new optional parameter > "header=" could be used. This approach could also permit the separation of the > entity-headers from the rest of the headers -- a cache would need to cough up > entity-related digest that it got from the origin server, but construct > a digest of the other > headers using its own secret that it shares with the client. > I think this sounds good. It should refer to objects defined in the HTTP1.1 spec as Larry recommended. > If this isn't too out of line, I'll write up specific proposed text. > Great. But try to do it quickly. I would like to get version 03 of this document submitted. Also could you send me your address? John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Wednesday, 28 February 1996 12:50:33 UTC