Authentication *before* GET?

Peter Lister, Cranfield Computer Centre (
Fri, 11 Mar 1994 14:16:20 --100

Sorry, pressed the send button a touch early.

One thing which could be misinterpreted

Key-info: KerberosIV-session-key

This is intended to convey that the server is telling the client to use the
Kerberos session key for encryption; *not* that either party should actually
quote the key over HTTP. This would be very, very silly. Actually, thinking
about my later comments, I really want a method for preceding each
request/reply with a header which says that the following text is encrypted
(or not) and the mechanism used.

Also, while I said that a Can-authenticate header should not default to "None"
(so that a very secure server can clearly insist on authentication), browsers
should treat the *absence* of Can-authenticate as "None", to cope with older

Flame away. :-)

Peter Lister Email:
Computer Centre, Cranfield University Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK Fax: +44 234 750875
--- Go stick your head in a pig. (R) Sirius Cybernetics Corporation ---