RE: rfc2617: response-auth calculation

> In the calculation of the response-auth digest for the
> 'Authentication-Info' header, is the qop-value used the one which is
> sent by the client in the 'Authorization' header, or the one sent by
> the server in the Auth-Info header itself?

The intent was that they should be the same.  The server presents
alternatives it is willing to support in the WWW-Authenticate challenge, and
the client chooses one in its Authorization.  The server should then use
that value in the response.  If it is not willing to use 'auth', then it
should not present that alternative in the challenge.

If you did switch between request and response, you would want the server to
use the value it is sending in calculating the digest - the point of
including it in the digest is that it be protected from modification.

As a practical matter, changing qop wouldn't work at all today, since the
only commercial browser that does digest at all doesn't support 'auth-int'

Scott Lawrence           Director of R & D        <>
Agranat Systems, Inc.  Embedded Web Technology

Received on Monday, 19 July 1999 04:58:29 UTC