RE: rfc2617: response-auth calculation

> > In the calculation of the response-auth digest for the
> > 'Authentication-Info' header, is the qop-value used the one which is
> > sent by the client in the 'Authorization' header, or the one sent by
> > the server in the Auth-Info header itself?
> The intent was that they should be the same.  The server presents
> alternatives it is willing to support in the WWW-Authenticate challenge, and
> the client chooses one in its Authorization.  The server should then use
> that value in the response.  If it is not willing to use 'auth', then it
> should not present that alternative in the challenge.

Ah, can auth-int be used for messages with no body (zero-length), e.g.
GET requests? I presumed it couldn't, maybe this is the source of my

> If you did switch between request and response, you would want the server to
> use the value it is sending in calculating the digest - the point of
> including it in the digest is that it be protected from modification.

Okay, thanks.

> As a practical matter, changing qop wouldn't work at all today, since the
> only commercial browser that does digest at all doesn't support 'auth-int'
> yet.

(I'm writing client code).



Joe Orton ...

Received on Monday, 19 July 1999 07:31:27 UTC