W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 1999

rfc2617: response-auth calculation

From: Joe Orton <joe@orton.demon.co.uk>
Date: Sat, 17 Jul 1999 12:59:53 +0100 (BST)
To: http-wg@hplb.hpl.hp.com
Message-ID: <Pine.LNX.4.10.9907171240300.1041-100000@ankh.orton.local>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/470

Just after a clarification:

In the calculation of the response-auth digest for the
'Authentication-Info' header, is the qop-value used the one which is
sent by the client in the 'Authorization' header, or the one sent by
the server in the Auth-Info header itself?

Example: the client sends, e.g. a GET request, with no entity-body, so
uses "qop=auth" in the 'Authorization' header. The server response then
has an entity-body, and uses "qop=auth-int" in the 'Authentication-Info'

The sentence
                              The "response-digest" value is calculated
   as for the "request-digest" in the Authorization header, except that
   if "qop=auth" or is not specified in the Authorization header for the
   request, A2 is

implies that the qop-value the client sent is used, but the paragraph

     Indicates the "quality of protection" options applied to the
     response by the server.  The value "auth" indicates authentication;
     the value "auth-int" indicates authentication with integrity
     protection. The server SHOULD use the same value for the message-
     qop directive in the response as was sent by the client in the
     corresponding request.

seems to implies that the qop-value the server sends is used.



Joe Orton
joe@orton.demon.co.uk ... jeo101@york.ac.uk
Received on Saturday, 17 July 1999 05:49:47 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:06 UTC