Authentication issue CNONCE: Proposed resolution from Larry Masinter on 1998-07-28 (ietf-http-wg@w3.org from July to September 1998)

From: Larry Masinter <masinter@parc.xerox.com>
Date: Tue, 28 Jul 1998 10:58:19 PDT
To: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
Message-Id: <002501bdba51$4db3fac0$15d0000d@copper-208.parc.xerox.com>

(I'm going through the Authentication issue list
http://www.w3.org/Protocols/HTTP/Issues/ 
seeing if there are actually proposed resolutions of the open issues):

In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html
Dave Kristol wrote:

# 3.2.3 The Authentication-Info Header
# cnonce and qop are used in the calculation of response-digest.  The
# client is not required to send either cnonce= or auth=.  So I assume
# (correct?) that the null string is used for values for omitted
# attributes in the calculation.

I suggest that this be the correct interpretation, that the null
string is used for values for omitted attributes in the calculation.

# If (to use cnonce as the example) cnonce was omitted, should
# Authentication-Info omit cnonce, or should it send cnonce=""?  Same
# question for auth.

I propose that either MAY be allowed, since they are equivalent.

Larry
--
http://www.parc.xerox.com/masinter

Received on Tuesday, 28 July 1998 10:59:52 UTC