Re: Security Requirements for HTTP, draft -00

On Feb 5, 2008, at 8:23 PM, Paul Leach wrote:
>
> “Digest includes many modes of operation, but only the simplest  
> modes enjoy any degree of interoperability.  For example, most  
> implementations do not implement the mode that provides full message  
> integrity.  Perhaps one reason is that implementation experience has  
> shown that in some cases,
> especially those involving large requests or responses such as  
> streams, the message integrity mode is impractical because it  
> requires servers to analyze the full request before determining  
> whether the client knows the shared secret or whether message-body  
> integrity has been violated and hence whether the request can be  
> processed."

I agree with the substance of this text. I find it a little hard to  
parse, but I trust the editors can remedy that.

- Rob

Received on Wednesday, 6 February 2008 08:48:46 UTC