> > In the calculation of the response-auth digest for the > > 'Authentication-Info' header, is the qop-value used the one which is > > sent by the client in the 'Authorization' header, or the one sent by > > the server in the Auth-Info header itself? > > The intent was that they should be the same. The server presents > alternatives it is willing to support in the WWW-Authenticate challenge, and > the client chooses one in its Authorization. The server should then use > that value in the response. If it is not willing to use 'auth', then it > should not present that alternative in the challenge. Ah, can auth-int be used for messages with no body (zero-length), e.g. GET requests? I presumed it couldn't, maybe this is the source of my confusion. > If you did switch between request and response, you would want the server to > use the value it is sending in calculating the digest - the point of > including it in the digest is that it be protected from modification. Okay, thanks. > As a practical matter, changing qop wouldn't work at all today, since the > only commercial browser that does digest at all doesn't support 'auth-int' > yet. (I'm writing client code). Regards, joe -- Joe Orton joe@orton.demon.co.uk ... jeo101@york.ac.uk http://www.orton.demon.co.uk/Received on Monday, 19 July 1999 07:31:27 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:06 UTC