- From: Dave Kristol <dmk@bell-labs.com>
- Date: Tue, 30 Dec 1997 13:56:54 -0500
- To: John Franks <john@math.nwu.edu>
- Cc: Scott Lawrence <lawrence@agranat.com>, paulle@microsoft.com, ietf-http-wg@w3.org, http-wg@cuckoo.hpl.hp.com
John Franks wrote: > [...] > transaction-info = > H( > Method ":" > digest-uri-value ":" > media-type ":" ; Content-Type, see section 3.7 of [2] > content-coding ":" ; Content-Encoding, see 3.5 of [2] > dheader-content > ) > > dheader-content = *DIGIT ":" ; HTTP response status code > *DIGIT ":" ; entity-length, see ?? > date ":" ; contents of origin HTTP date header > last-modified ":" ; last modified date > expires ; expiration date It's time for me to be stupid again. The dheader-content gets digested in transaction-info, and it gets sent in the clear as part of Authentication-Info. Is there any expectation (or requirement) that a receiver will validate the individual pieces of dheader-content? If not, then the sender could put arbitrary garbage in dheader-content, and as long as the same garbage appeared in both places, the bits will come out right, but nothing useful will have been accomplished. Dave Kristol
Received on Tuesday, 30 December 1997 13:58:18 UTC