Re: more minor Digest Auth editorial comments

On Wed, 28 Feb 1996, Paul Leach wrote:

> I think there's a good argument that the <message-digest> should 
> include at least the
> entity-headers and Date: as well as the <entity-body>, and maybe the 
> other headers,
> too. This would prevent mucking with the Last-Modified, or 
> Content-Type, etc, and
> Date: would prevent substituting an old reply for a new one. (This was 
> another of
> Allan's points, BTW, that seems to have been left off of Larry's list. 
> Sorry for not
> mentioning it earlier, but I coudn't tell until getting the 
> <message-body> thing clarified.
> Actually it was two of his points  -- that the total request wan't 
> authenticated, and that there was no freshness information.)
> If this is a backwards compatibility problem, then a new optional parameter
> "header=" could be used. This approach could also permit the separation of the
> entity-headers from the rest of the headers -- a cache would need to cough up
> entity-related digest that it got from the origin server, but construct 
> a digest of the other
> headers using its own secret that it shares with the client.

I think this sounds good.  It should refer to objects defined in the
HTTP1.1 spec as Larry recommended.

> If this isn't too out of line, I'll write up specific proposed text.

Great.  But try to do it quickly.  I would like to get version 03 of this
document submitted.  Also could you send me your address?

John Franks 	Dept of Math. Northwestern University

Received on Wednesday, 28 February 1996 12:50:33 UTC