- From: John Franks <john@math.nwu.edu>
- Date: Fri, 1 Mar 1996 17:15:30 -0600 (CST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, hallam@w3.org
On Fri, 1 Mar 1996, Paul Leach wrote: > > Consider: if the client does a GET and the proxy serves it from the cache, > where does the "nonce" come from that is needed to compute and > check <message-digest> -- cached data, the proxy's nonce from > proxy-auth, or does the proxy have to always go to the origin-server? > It always has to go to the origin-server. Here is a quote from from section on Access Authentication from the HTTP/1.1 spec draft at http://www.w3.org/pub/WWW/Protocols/HTTP/1.1/spec.html "Proxies must be completely transparent regarding user agent authentication. That is, they must forward the WWW-Authenticate and Authorization headers untouched, and must not cache the response to a request containing Authorization." The problems you are addressing are important and need to be solved. But Digest Authentication is not the mechanism to solve those problems. It is a very small step in the right direction, intended only to replace a misstep, viz. Basic Authentication. John Franks Dept of Math. Northwestern University john@math.nwu.edu
Received on Friday, 1 March 1996 15:18:59 UTC