RE: Intent of 14.38 Server

Sorry, I didn't mean to imply that that was the motivation, just that
because it is that way, for whatever reason, authentication protocols
could previously depend on it.

I could imagine that wanting integrity protection for the header might
be interesting. I forget specific details, but it was kind of annoying
when designing Digest how few headers could be integrity protected that
it seemed it might be useful to protect. (The natural inclination of
security geeks is to be conservative and protect as much as possible,
instead of guessing what might be important.)

-----Original Message-----
From: Henrik Nordstrom [] 
Sent: Thursday, December 21, 2006 7:03 AM
To: Paul Leach
Cc: Travis Snoozy (Volt);
Subject: RE: Intent of 14.38 Server

ons 2006-12-20 klockan 17:24 -0800 skrev Paul Leach:
> Authentication protocols that provide integrity protection can rely on

> the original wording to mean that they can include fields that proxies

> aren't allowed to modify in the integrity check.

Are you sure?

I very much doubt thats the reason to the specific wording about the
Server header..  Have always read that part as that the proxy have no
business mucking around with the Server header to advertise itself, it
MUST use the Via header for this purpose.

The Server header is supposed to advertise the software version of the
products making up the server, not as a communication channel or
capability indication.

Is it really true that proxies is not allowed to clean up LWS in Server
headers? I have always considered folding/unfolding, LWS cleanup and and
list merging to be safe operations on all headers.


Received on Thursday, 21 December 2006 19:30:17 UTC