- From: Scott Lawrence <scott@skrb.org>
- Date: Wed, 12 Jul 2006 14:11:36 -0400
- To: "John C. Mallery" <jcma@csail.mit.edu>
- Cc: ietf-http-wg@w3.org
On Wed, 2006-07-12 at 14:47 +0000, John C. Mallery wrote: > > > > Few browsers seem to have implemented HTTP 1.1 Digest Authentication > correctly, at least on the Mac. > > Digest authentication of proxy requests seems to be a major problem > area. > > Firefox 2.0b1 seems to be the best implementation on the mac. > > 1. I note, however, that it computes the digest based on the relative > URI of the absolute URI requested of the proxy. > > RFC 2617 says that the uri should be digest-uri-value = request- > uri ; As specified by HTTP/1.1 > > RFC 2616 says that that the Request-URI = "*" | absoluteURI | > abs_path | authority > > Further, RFC 2617 says: "The authenticating server must assure that > the resource designated by the "uri" directive is the same as the > resource specified in the Request-Line; if they are not, the server > SHOULD return a 400 Bad Request error." > > On my reading of the specs, this is a bug. I'm not sure what 'this' you are referring to... > What do people think? > > Should the specification be clarified in this regard? > > What should be done about backward compatibility for buggy clients? besides fixing the buggy clients? > 2. If the absoluteURI is used, there is an issue of cannonicalizing > the case of the scheme, host, and any escape codes. > > These are not treated by RFC 2617. > > Comments? > > -- Scott Lawrence http://skrb.org/scott/
Received on Wednesday, 12 July 2006 18:12:29 UTC