- From: Paul Leach <paulle@microsoft.com>
- Date: Thu, 6 Aug 1998 22:35:39 -0700
- To: 'Scott Lawrence' <lawrence@agranat.com>, Larry Masinter <masinter@parc.xerox.com>
- Cc: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>
How about -- if auth= or auth-int= are specified, cnonce= is required and MUST be a value never used before by the client? > -----Original Message----- > From: Scott Lawrence [mailto:lawrence@agranat.com] > Sent: Tuesday, July 28, 1998 11:13 AM > To: Larry Masinter > Cc: HTTP Working Group > Subject: Re: Authentication issue CNONCE: Proposed resolution > > > Larry Masinter wrote: > > > In http://www.ics.uci.edu/pub/ietf/http/hypermail/1998q2/0031.html > > Dave Kristol wrote: > > > > # 3.2.3 The Authentication-Info Header > > # cnonce and qop are used in the calculation of > response-digest. The > > # client is not required to send either cnonce= or auth=. > So I assume > > # (correct?) that the null string is used for values for omitted > > # attributes in the calculation. > > > > I suggest that this be the correct interpretation, that the null > > string is used for values for omitted attributes in the calculation. > > > > # If (to use cnonce as the example) cnonce was omitted, should > > # Authentication-Info omit cnonce, or should it send > cnonce=""? Same > > # question for auth. > > > > I propose that either MAY be allowed, since they are equivalent. > > I think that this is an acceptable resolution, but that the Security > Considerations section will need a short paragraph on the > implications of > leaving this out - the server is then not authenticated to > the user agent. > > -- > Scott Lawrence Consulting Engineer > <lawrence@agranat.com> > Agranat Systems, Inc. Embedded Web Technology > http://www.agranat.com/ >
Received on Thursday, 6 August 1998 22:38:23 UTC