On Fri, 1 Mar 1996, Paul Leach wrote: > > Consider: if the client does a GET and the proxy serves it from the cache, > where does the "nonce" come from that is needed to compute and > check <message-digest> -- cached data, the proxy's nonce from > proxy-auth, or does the proxy have to always go to the origin-server? > It always has to go to the origin-server. Here is a quote from from section on Access Authentication from the HTTP/1.1 spec draft at http://www.w3.org/pub/WWW/Protocols/HTTP/1.1/spec.html "Proxies must be completely transparent regarding user agent authentication. That is, they must forward the WWW-Authenticate and Authorization headers untouched, and must not cache the response to a request containing Authorization." The problems you are addressing are important and need to be solved. But Digest Authentication is not the mechanism to solve those problems. It is a very small step in the right direction, intended only to replace a misstep, viz. Basic Authentication. John Franks Dept of Math. Northwestern University john@math.nwu.eduReceived on Friday, 1 March 1996 15:18:59 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:42:57 UTC