- From: Scott Lawrence <lawrence@agranat.com>
- Date: Mon, 19 Jul 1999 07:51:29 -0400
- To: Joe Orton <joe@orton.demon.co.uk>, "Http-Wg@Hplb. Hpl. Hp. Com" <http-wg@hplb.hpl.hp.com>
> In the calculation of the response-auth digest for the > 'Authentication-Info' header, is the qop-value used the one which is > sent by the client in the 'Authorization' header, or the one sent by > the server in the Auth-Info header itself? The intent was that they should be the same. The server presents alternatives it is willing to support in the WWW-Authenticate challenge, and the client chooses one in its Authorization. The server should then use that value in the response. If it is not willing to use 'auth', then it should not present that alternative in the challenge. If you did switch between request and response, you would want the server to use the value it is sending in calculating the digest - the point of including it in the digest is that it be protected from modification. As a practical matter, changing qop wouldn't work at all today, since the only commercial browser that does digest at all doesn't support 'auth-int' yet. -- Scott Lawrence Director of R & D <lawrence@agranat.com> Agranat Systems, Inc. Embedded Web Technology http://www.agranat.com/
Received on Monday, 19 July 1999 04:58:29 UTC