- From: Scott Lawrence <lawrence@agranat.com>
- Date: Mon, 22 Dec 1997 16:22:48 -0500
- To: John Franks <john@math.nwu.edu>
- cc: paulle@microsoft.com, ietf-http-wg@w3.org, http-wg@cuckoo.hpl.hp.com
>>>>> "JF" == John Franks <john@math.nwu.edu> writes:
JF> One other question. Dave Kristol asked me what keeps a man in
JF> the middle from stripping the digest from the response. I said
JF> the digest-required field. But I'm not sure I'm right. It looks
JF> like only the server can use digest-required now. Do we want to
JF> let the client require a digest also? If so how?
There appears to have been an omission in the syntax for the
Authorization header - it was in my original draft for
digest-required. The text is correct in
draft-ietf-http-authentication-00:
3.2.2 The Authorization Request Header
...
If the value of the digest-required parameter is "true", the
response to this request MUST either include the "digest" field
in its Authentication-Info header or the response should be an
error message indicating the server is unable or unwilling to
but the digest-required syntax got left out of the syntax for the
header field. The Digest-response production should be
Digest-response = 1#( username | realm | nonce | digest-uri
| response | [ digest ] | [ algorithm ]
| digest-required | opaque )
--
Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com>
Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Monday, 22 December 1997 16:24:02 UTC