- From: Peter J Churchyard <pjc@trusted.com>
- Date: Thu, 12 Sep 1996 14:55:19 -0400 (EDT)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
My only complaint with the optional entity-digest is that it is not bound with the authentication. If a server uses digest to authenticate a user and returns a document with an entity digest, the client needs to know that the digest was sent. Currently a man in the middle can remove the digest and then modify the content. Part of the 'challenge' should be a flag saying whether an entity digest is being supplied. The binding needs to be done also when the client POSTs or PUTs. The authentication should include a flag saying that the client did supply an entity-digest so that if a man in the middle removes the entity-digest the authentication fails. Peter. -- The TIS Network Security Products Group has moved again! voice: 301-527-9500x111 fax: 301-527-0482 Room 334, 15204 Omega Drive, Rockville, MD 20850
Received on Thursday, 12 September 1996 11:36:56 UTC