- From: Scott Lawrence <lawrence@agranat.com>
- Date: Wed, 07 Jan 1998 13:53:21 -0500
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>>>>> "DK" == Dave Kristol <dmk@bell-labs.com> writes: DK> The conflicting positions (should Digest have some kind of integrity DK> check?) seem to stem from two different perspectives: DK> 1) Servers want to identify users. Neither the server nor the client is DK> particularly concerned about the integrity of messages (typically GETs DK> that return information to the client). I don't accept that at all. If I'm a client requesting a form that I'm going to submit authenticated, I'd like to know that the form is what the server sent (not one with a new ACTION= attributed inserted to send it somewhere else), and that the result of submitting the form is equally authentic. Both of these require server->client authentication and message integrity. DK> Can the two functions be separated so (1) can progress with "old" DK> Digest? I don't think so (but I bet no one is suprised at that). -- Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com> Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Wednesday, 7 January 1998 11:22:08 UTC