Just after a clarification: In the calculation of the response-auth digest for the 'Authentication-Info' header, is the qop-value used the one which is sent by the client in the 'Authorization' header, or the one sent by the server in the Auth-Info header itself? Example: the client sends, e.g. a GET request, with no entity-body, so uses "qop=auth" in the 'Authorization' header. The server response then has an entity-body, and uses "qop=auth-int" in the 'Authentication-Info' header. The sentence The "response-digest" value is calculated as for the "request-digest" in the Authorization header, except that if "qop=auth" or is not specified in the Authorization header for the request, A2 is ... implies that the qop-value the client sent is used, but the paragraph message-qop Indicates the "quality of protection" options applied to the response by the server. The value "auth" indicates authentication; the value "auth-int" indicates authentication with integrity protection. The server SHOULD use the same value for the message- qop directive in the response as was sent by the client in the corresponding request. seems to implies that the qop-value the server sends is used. Regards, joe -- Joe Orton joe@orton.demon.co.uk ... jeo101@york.ac.uk http://www.orton.demon.co.uk/Received on Saturday, 17 July 1999 05:49:47 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:06 UTC