Re: Digest mess

>>>>> "DK" == Dave Kristol <dmk@bell-labs.com> writes:

DK> The conflicting positions (should Digest have some kind of integrity
DK> check?) seem to stem from two different perspectives:

DK> 1) Servers want to identify users.  Neither the server nor the client is
DK> particularly concerned about the integrity of messages (typically GETs
DK> that return information to the client).

  I don't accept that at all.  If I'm a client requesting a form that
  I'm going to submit authenticated, I'd like to know that the form is
  what the server sent (not one with a new ACTION= attributed inserted
  to send it somewhere else), and that the result of submitting the
  form is equally authentic.  Both of these require server->client
  authentication and message integrity.

DK> Can the two functions be separated so (1) can progress with "old"
DK> Digest?

  I don't think so (but I bet no one is suprised at that).

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/

Received on Wednesday, 7 January 1998 11:22:08 UTC