Re: Digest mess from John Franks on 1998-01-04 (ietf-http-wg@w3.org from January to March 1998)

From: John Franks <john@math.nwu.edu>
Date: Sun, 4 Jan 1998 12:09:45 -0600 (CST)
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.LNX.3.96.980104114141.468A-100000@hopf.math.nwu.edu>

On Sat, 3 Jan 1998, John Franks wrote:

> 
> Actually the contrary may be the case.  It seems that the ability to
> digest *arbitrary* origin headers, including as yet undefined ones, is
> very important to some potential implementers.
> 
> Currently the best idea on how to do this is Jeff Mogul's suggestion
> that the origin agent take a set of headers it wishes to digest
> like
> 
> HTTP/1.1 200 OK
> Date: Sat, 03 Jan 1998 19:52:37 GMT
> Expires: Sun, 04 Jan 1998 19:52:37 GMT
> Last-modified: Fri, 25 Jul 1997 15:44:39 GMT
> ETag: "33d8c9e7=30845=6c5"
> Content-type: text/html
> Content-length: 1733
> 
> And encode them (including CRLFs) either using base64 or URL-encoding
> and put the result in an "origin-headers" field of Authentication-info,
> getting something like
> 
> origin-headers =
>  "SFRUUC8xLjEgMjAwIE9LCkRhdGU6IFNhdCwgMDMgSmFuIDE5OTggMTk6NTI6
>   MzcgR01UCkV4cGlyZXM6IFN1biwgMDQgSmFuIDE5OTggMTk6NTI6MzcgR01U
>   Ckxhc3QtbW9kaWZpZWQ6IEZyaSwgMjUgSnVsIDE5OTcgMTU6NDQ6MzkgR01U
>   CkVUYWc6ICIzM2Q4YzllNz0zMDg0NT02YzUiCkNvbnRlbnQtdHlwZTogdGV4
>   dC9odG1sCkNvbnRlbnQtbGVuZ3RoOiAxNzMzCgo="
> 
> A few issues come to mind:
> 
> 1.  URL-encoding is simpler and shorter (I think).  Base64 has
> a standard for breaking lines and we will surely need to do that.
> 
> 2. The client also may send a digest, but it has no Authentication-info
> header.  Does it need one?
> 

To answer my own question: No it doesn't need one, but origin-headers
should be a field of the Authorization request header, when there is a
"digest" field.  Origin-headers could include any headers the client
wishes to have digested.

E.g. 

  PUT /file HTTP/1.1
  Host: whatever.edu
  Content-type: text/html
  Whatever: whatever

Just to clarify "digest" and "origin-headers" should be fields of both
the Authorization request header and the Authentication-info response
header.  They can be defined by


            digest             = "digest" "=" entity-digest
	    origin-headers   = "origin-headers" "=" 
					<"> origin-headers-value <">

            origin-headers-value = URL or base64 encoded version of headers.
                                   (this needs specifying)

            entity-digest =
                    <"> KD (H(H(A1)), unquoted nonce-value ":"
                         transaction-info ":" H(entity-body)) <">
                                       ; format is <"> *LHEX <">

            transaction-info       =
              H(
                Method ":"
                digest-uri-value ":"
                origin-headers-value
                )

If the origin-headers field is omitted then by implication 
origin-headers-value is empty.  

Roy Fielding suggests that the "digest" field be renamed.  Any
suggestions?

John Franks
john@math.nwu.edu

Received on Sunday, 4 January 1998 10:11:54 UTC