- From: Scott Lawrence <lawrence@agranat.com>
- Date: Fri, 12 Dec 1997 11:59:37 -0500
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
>>>>> "JM" == Jeffrey Mogul <mogul@pa.dec.com> writes: JM> If the sender is required to send a Date header JM> by some part of this specification, and is unable JM> to generate a current HTTP-date value, it SHOULD JM> send a legal HTTP-date value that is provably in JM> the past. JM> For example, send JM> Date: Thu, 01 Jan 1970 00:0:01 GMT JM> As far as I can tell, this will not lead to any more trouble JM> than simply omitting the Date header. It also seems to be JM> legal according to section 14.19 of -rev-01. I'm concerned that this approach would confuse proxies when combined with max-age; anything that attempts to use the Date value to figure out how old a response _really_ is using the date value will be hopelessly messed up (your excellent work on clock unsyncronization has already shown that this is essentially hopeless, Jeff, but I don't think that will stop people from trying). We have the same problem with Date and Expires; proxies may add them (section 13.5.2) even when the origin server used an empty value when the digest was generated. As I see it, we have four alternatives: 1) Change the rule for whether or not these may be added. I include this for completeness - I don't think it would work because existing (even 1.0) implementations would still do it. 1a) Don't allow the additions when authentication is in use. Doesn't work because the authentication fields may be in the trailer where the proxy can't see them when building the header (we should allow for proxies that forward and cache in parallel). 2) Have the origin server put in bogus values and use those in the calculation. I'm concerned that this would cause confusion with age calculations and perhaps cache validity problems. 3) Put a cleartext attribute in the digest headers to pass the value used by the origin server when computing the digest. We do this now with the digest-uri-value for the same reason (the value in the received URI line may not be what the sender sent). 4) Remove these components from the entity digest calculation. If we accept Paul Leachs suggestion that we correct/redefine the digest to allow for 3rd party authentication anyway, this becomes an option to consider. I don't believe that 1 or 2 are good ideas for the reasons above. Number 3 is workable, but makes digest that much more trouble to do and I'd hate to create any more barrier to getting this widely implemented. My own inclination is to bite the bullet and have a hard look at 4; this means figuring out whether we really need all those fields in the entity digest. If we removed the problematic fields and made Pauls change, the definition (without my <<<< markers) would become: entity-digest<"> KD ( H( H( A1 ) ) <<<<< was H(A1) ,unquoted nonce-value ":" Method ":" <<<<< date was here entity-info ":" H(entity-body) ) <"> entity-info = H( digest-uri-value ":" media-type ":" ; Content-Type, see section 3.7 of [2] *DIGIT ":" ; Content-Length, see 10.12 of [2] content-coding ":" ; Content-Encoding, see 3.5 of [2] <<<<<< l-m and expires were here ) Talking off line with Paul, he said that the expires and last-modified values were originally included here to provide replay protection; even with a repeated nonce-value these values would make replay harder. We already have text in there on the importance of good nonce selection, and mechanisms for changing the nonce without adding round trips. With abject apologies to everyone else who has already implemented this, I suggest that we make this change in the interest of making the mechanism work and getting others to join us in eliminating cleartext passwords with a low cost authentication scheme. -- Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com> Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Friday, 12 December 1997 09:14:54 UTC