- From: Stewart Brodie <stewart.brodie@antlimited.com>
- Date: Tue, 17 Aug 2004 15:52:42 +0100
- To: ietf-http-wg@w3.org
RFC2617 section 3.2.2.3 shows that A2 is constructed differently if the qop was auth-int - it has an extra colon and hash of the entity body. The example shown in section 3.5 features a server that offers both auth and auth-int. The sample client response has chosen to use auth - which it is at liberty to do given the server's offer. What is supposed to happen if there is no entity-body but the server only offers to accept a qop of auth-int? I am assuming that I should create a hash of 0 bytes of data. Initially, I had assumed that I should always choose the best option available and considered the added integrity protection with auth-int to make it "better" than plain auth if the chance to use it was presented. Should I prefer auth when it is available and there is no entity-body, like the example, or should I continue to generate the full auth-int request? -- Stewart Brodie Software Engineer ANT Limited
Received on Tuesday, 17 August 2004 14:52:43 UTC