rfc2617: response-auth calculation

Just after a clarification:

In the calculation of the response-auth digest for the
'Authentication-Info' header, is the qop-value used the one which is
sent by the client in the 'Authorization' header, or the one sent by
the server in the Auth-Info header itself?

Example: the client sends, e.g. a GET request, with no entity-body, so
uses "qop=auth" in the 'Authorization' header. The server response then
has an entity-body, and uses "qop=auth-int" in the 'Authentication-Info'

The sentence
                              The "response-digest" value is calculated
   as for the "request-digest" in the Authorization header, except that
   if "qop=auth" or is not specified in the Authorization header for the
   request, A2 is

implies that the qop-value the client sent is used, but the paragraph

     Indicates the "quality of protection" options applied to the
     response by the server.  The value "auth" indicates authentication;
     the value "auth-int" indicates authentication with integrity
     protection. The server SHOULD use the same value for the message-
     qop directive in the response as was sent by the client in the
     corresponding request.

seems to implies that the qop-value the server sends is used.



Joe Orton
joe@orton.demon.co.uk ... jeo101@york.ac.uk

Received on Saturday, 17 July 1999 05:49:47 UTC