Re: HTTP-authentication-01.txt comments from Dave Kristol on 1998-04-14 (ietf-http-wg@w3.org from April to June 1998)

From: Dave Kristol <dmk@bell-labs.com>
Date: Tue, 14 Apr 1998 14:58:09 -0400
To: John Franks <john@math.nwu.edu>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <3533B1C1.1080@bell-labs.com>

John Franks wrote:
> 
> On Mon, 13 Apr 1998, Dave Kristol wrote:
> 
> >
> > 3.2.3 The Authentication-Info Header
> >
> > cnonce and qop are used in the calculation of response-digest.  The
> > client is not required to send either cnonce= or auth=.  So I assume
> > (correct?) that the null string is used for values for omitted
> > attributes in the calculation.
> >
> > If (to use cnonce as the example) cnonce was omitted, should
> > Authentication-Info omit cnonce, or should it send cnonce=""?  Same
> > question for auth.
> >
> 
> It might be better to say that Authentication-Info should only be
> sent if qop (and hence cnonce) are present.

But cnonce is not required, even when qop is specified.  Only
nonce-count is required.

> 
> Another question: Unless I am mistaken, at one point in the long
> sequence of digest drafts, the Authentication-Info header could be
> supplied by either the server or the client.  It would be useful
> for the client to be able to supply the digest of POSTed data
> or a file which is PUT.  Being able to assure the integrity of
> client supplied data would be very useful.  Did this fall through
> the cracks, or am I just missing this functionality somewhere in
> the draft?

Hmmm.  There does not seem to be a way for the client to send a digest
of the entity-body.  If it could, though, there's an ambiguity about
qop=auth-int:

1) C<-S
	HTTP/1.1 401 Unauthorized
	WWW-Authenticate: ... qop="auth,auth-int", ...

2) C->S (speculative)
	POST /some/entity HTTP/1.1
	Host: blah
	Authorization: ... qop=auth-int, ...
	Authentication-Info:  reqauth=<some suitable digest>, ...

3) C<-S (problematic)
	HTTP/1.1 200 OK
	Authentication-Info:  qop=auth-int, rspauth=<entity digest>

The problem is that the client chose (this is speculative -- the spec.
doesn't read this way) "auth-int", in order to send an entity digest.
But the server is obliged to respond in kind, which means it must do a
digest of what is probably not a very interesting response.

Dave Kristol

Received on Tuesday, 14 April 1998 12:05:26 UTC