- From: Joe Orton <joe@orton.demon.co.uk>
- Date: Sat, 17 Jul 1999 12:59:53 +0100 (BST)
- To: http-wg@hplb.hpl.hp.com
Just after a clarification:
In the calculation of the response-auth digest for the
'Authentication-Info' header, is the qop-value used the one which is
sent by the client in the 'Authorization' header, or the one sent by
the server in the Auth-Info header itself?
Example: the client sends, e.g. a GET request, with no entity-body, so
uses "qop=auth" in the 'Authorization' header. The server response then
has an entity-body, and uses "qop=auth-int" in the 'Authentication-Info'
header.
The sentence
The "response-digest" value is calculated
as for the "request-digest" in the Authorization header, except that
if "qop=auth" or is not specified in the Authorization header for the
request, A2 is
...
implies that the qop-value the client sent is used, but the paragraph
message-qop
Indicates the "quality of protection" options applied to the
response by the server. The value "auth" indicates authentication;
the value "auth-int" indicates authentication with integrity
protection. The server SHOULD use the same value for the message-
qop directive in the response as was sent by the client in the
corresponding request.
seems to implies that the qop-value the server sends is used.
Regards,
joe
--
Joe Orton
joe@orton.demon.co.uk ... jeo101@york.ac.uk
http://www.orton.demon.co.uk/
Received on Saturday, 17 July 1999 05:49:47 UTC