W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 1999

RE: rfc2617: response-auth calculation

From: Joe Orton <joe@orton.demon.co.uk>
Date: Mon, 19 Jul 1999 14:29:34 +0100 (BST)
To: Scott Lawrence <lawrence@agranat.com>
cc: http-wg@hplb.hpl.hp.com
Message-ID: <Pine.LNX.4.10.9907191416510.1715-100000@ankh.orton.local>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/474

> > In the calculation of the response-auth digest for the
> > 'Authentication-Info' header, is the qop-value used the one which is
> > sent by the client in the 'Authorization' header, or the one sent by
> > the server in the Auth-Info header itself?
> The intent was that they should be the same.  The server presents
> alternatives it is willing to support in the WWW-Authenticate challenge, and
> the client chooses one in its Authorization.  The server should then use
> that value in the response.  If it is not willing to use 'auth', then it
> should not present that alternative in the challenge.

Ah, can auth-int be used for messages with no body (zero-length), e.g.
GET requests? I presumed it couldn't, maybe this is the source of my

> If you did switch between request and response, you would want the server to
> use the value it is sending in calculating the digest - the point of
> including it in the digest is that it be protected from modification.

Okay, thanks.

> As a practical matter, changing qop wouldn't work at all today, since the
> only commercial browser that does digest at all doesn't support 'auth-int'
> yet.

(I'm writing client code).



Joe Orton
joe@orton.demon.co.uk ... jeo101@york.ac.uk
Received on Monday, 19 July 1999 07:31:27 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:06 UTC