- From: Peter J Churchyard <pjc@trusted.com>
- Date: Thu, 29 Feb 1996 09:24:42 -0500 (EST)
- To: pjc <pjc@hilo.trusted.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
For a POST or PUT operation (or any where the client is sending more than a request and the server is using Digest Auth then if the client wants to indicate that it did send a digest-messagedigest header then an extra flag in the digest could be used. If the client doesn't really care, then it uses the existing digest domain. So if a server gets a POST or PUT where the digest-messagedigest was stripped and maybe the data modified, then the auth would not succeed. If a d-md is present and is valid, then the digest can be checked assuming that the flag is present and is that fails the auth can be tested without the flag which shows that the d-md was optional. As for d-md on responses, there is no strong way to indicate that a m-dm is required except by out of bounds means. This also means that clients authenticating servers cannot use m-dm. If xxx-authenticate was considered a peer-peer property so either the client or server can use it then authentication of the server could be possible but this may or may not fit into current schemes. Pete. -- The TIS Network Security Products Group has moved! voice: 301-527-9500 x123 fax: 301-527-0482 2277 Research Boulevard, 5th Floor, Rockville, MD 20850
Received on Thursday, 29 February 1996 06:29:01 UTC