Quality of Protection Enhancements
The qop field may be present in all three digest headers: WWW-Authenticate, Authorization, and Authentication-Info.
The qop field lets clients and servers negotiate for different types and qualities of protection. For example, some transactions may want to sanity check the integrity of message bodies, even if that slows down transmission significantly.
The server first exports a comma-separated list of qop options in the WWW-Authenticate header. The client then selects one of the options that it supports and that meets its needs and passes it back to the server in its Authorization qop field.
Use of qop is optional, but only for backward compatibility with the older RFC 2069 specification. The qop option should be supported by all modern digest implementations.
RFC 2617 defines two initial quality of protection values: “auth,” indicating authentication, and “auth-int,” indicating authentication with message integrity protection. Other qop options are expected in the future.
Message Integrity Protection
If integrity protection is applied (qop="auth-int”), H (the entity body) is the hash of the entity body, not the message body. It is computed before any transfer encoding is applied by the sender and after it has been removed by the recipient. Note that this includes multipart boundaries and embedded headers in each part of any multipart content type.
Digest Authentication Headers
Both the basic and digest authentication protocols contain an authorization ...
Get HTTP: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
