You're right (unless I missed something else);
[2617]
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
[2616]
Request-URI = "*" | absoluteURI | abs_path | authority
^^^^^^^^
A pity.
On 2006/06/26, at 12:00 PM, Eric Rescorla wrote:
Mark Nottingham <[EMAIL PROTECTED]> writes:
On 2006/06/23, at 3:29 PM, Eric Rescorla wrote:
Part of the problem is that the user and the software have
a different view of the RP's identity. The software knows that
C1tibank and Citibank are different, but the user does not.
Fair enough.
Would it be correct to say that HTTP Digest Auth has this property
alreadly (because A2 includes the digest-uri-value)? There are other
attacks that can be made against Digest, of course (e.g., dictionary
against weak passwords), but it's interesting to think of it as
having anti-phishing properties.
I'm not 100% sure. IIRC, the digest-uri-value is only the
path portion, i.e.,
/example/example.html
rather than
http://www.example.com/example/example.html
But I could totally be wrong on this.
-Ekr
--
Mark Nottingham
[EMAIL PROTECTED]
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
