W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 1998

Re: Digest mess

From: John Franks <john@math.nwu.edu>
Date: Sat, 3 Jan 1998 15:27:53 -0600 (CST)
To: Scott Lawrence <lawrence@agranat.com>
cc: jg@w3.org, paulle@microsoft.com, http-wg@cuckoo.hpl.hp.com, ietf-http-wg@w3.org
Message-ID: <Pine.LNX.3.96.980103134611.2151A-100000@hopf.math.nwu.edu>
On Thu, 18 Dec 1997, Scott Lawrence wrote:

>   Removing the problematic field values from the calculation and
>   adding the original values as attributes are both
>   backward-incompatible changes; the question then becomes which will
>   do more:
>      1) to support authentication and integrity protection
>      2) to encourage wider implementation and use of the feature.
>   I think that with respect to (1) the two alternatives are
>   equivalent; neither ends up really preventing attacks based on cache
>   manipulation, and either is capable of detecting such attacks.  It
>   seems clear to me that making the scheme simpler by removing
>   elements from the calculation is more likely to encourage wider
>   implementation. 

Actually the contrary may be the case.  It seems that the ability to
digest *arbitrary* origin headers, including as yet undefined ones, is
very important to some potential implementers.

Currently the best idea on how to do this is Jeff Mogul's suggestion
that the origin agent take a set of headers it wishes to digest

HTTP/1.1 200 OK
Date: Sat, 03 Jan 1998 19:52:37 GMT
Expires: Sun, 04 Jan 1998 19:52:37 GMT
Last-modified: Fri, 25 Jul 1997 15:44:39 GMT
ETag: "33d8c9e7=30845=6c5"
Content-type: text/html
Content-length: 1733

And encode them (including CRLFs) either using base64 or URL-encoding
and put the result in an "origin-headers" field of Authentication-info,
getting something like

origin-headers =

A few issues come to mind:

1.  URL-encoding is simpler and shorter (I think).  Base64 has
a standard for breaking lines and we will surely need to do that.

2. The client also may send a digest, but it has no Authentication-info
header.  Does it need one?

3. Gzip'ing the headers above and then doing base64 gave only slight
improvement over just base64:  285 bytes vs. 313.

John Franks
Received on Sunday, 4 January 1998 00:15:49 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:04 UTC