- From: Scott Lawrence <lawrence@agranat.com>
- Date: Tue, 28 Jul 1998 18:12:53 +0000
- To: Larry Masinter <masinter@parc.xerox.com>
- Cc: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
Larry Masinter wrote: > In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html > Dave Kristol wrote: > > # 3.2.3 The Authentication-Info Header > # cnonce and qop are used in the calculation of response-digest. The > # client is not required to send either cnonce= or auth=. So I assume > # (correct?) that the null string is used for values for omitted > # attributes in the calculation. > > I suggest that this be the correct interpretation, that the null > string is used for values for omitted attributes in the calculation. > > # If (to use cnonce as the example) cnonce was omitted, should > # Authentication-Info omit cnonce, or should it send cnonce=""? Same > # question for auth. > > I propose that either MAY be allowed, since they are equivalent. I think that this is an acceptable resolution, but that the Security Considerations section will need a short paragraph on the implications of leaving this out - the server is then not authenticated to the user agent. -- Scott Lawrence Consulting Engineer <lawrence@agranat.com> Agranat Systems, Inc. Embedded Web Technology http://www.agranat.com/
Received on Tuesday, 28 July 1998 11:27:09 UTC