- From: Paul Leach <paulle@windows.microsoft.com>
- Date: Thu, 21 Dec 2006 11:29:55 -0800
- To: Henrik Nordstrom <hno@squid-cache.org>
- CC: "Travis Snoozy (Volt)" <a-travis@microsoft.com>, <ietf-http-wg@w3.org>
Sorry, I didn't mean to imply that that was the motivation, just that because it is that way, for whatever reason, authentication protocols could previously depend on it. I could imagine that wanting integrity protection for the header might be interesting. I forget specific details, but it was kind of annoying when designing Digest how few headers could be integrity protected that it seemed it might be useful to protect. (The natural inclination of security geeks is to be conservative and protect as much as possible, instead of guessing what might be important.) -----Original Message----- From: Henrik Nordstrom [mailto:hno@squid-cache.org] Sent: Thursday, December 21, 2006 7:03 AM To: Paul Leach Cc: Travis Snoozy (Volt); ietf-http-wg@w3.org Subject: RE: Intent of 14.38 Server ons 2006-12-20 klockan 17:24 -0800 skrev Paul Leach: > Authentication protocols that provide integrity protection can rely on > the original wording to mean that they can include fields that proxies > aren't allowed to modify in the integrity check. Are you sure? I very much doubt thats the reason to the specific wording about the Server header.. Have always read that part as that the proxy have no business mucking around with the Server header to advertise itself, it MUST use the Via header for this purpose. The Server header is supposed to advertise the software version of the products making up the server, not as a communication channel or capability indication. Is it really true that proxies is not allowed to clean up LWS in Server headers? I have always considered folding/unfolding, LWS cleanup and and list merging to be safe operations on all headers. Regards Henrik
Received on Thursday, 21 December 2006 19:30:17 UTC